CVE-2023-38552
Severity CVSS v4.0:
Pending analysis
Type:
CWE-345
Insufficient Verification of Data Authenticity
Publication date:
18/10/2023
Last modified:
03/11/2025
Description
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node&#39;s policy implementation, thus effectively disabling the integrity check.<br />
Impacts:<br />
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.<br />
Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* | 18.0.0 (including) | 18.18.1 (including) |
| cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* | 20.1.0 (including) | 20.8.0 (including) |
| cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://hackerone.com/reports/2094235
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
- https://security.netapp.com/advisory/ntap-20231116-0013/
- https://hackerone.com/reports/2094235
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
- https://security.netapp.com/advisory/ntap-20231116-0013/
- https://security.netapp.com/advisory/ntap-20241108-0002/