Rewterz Threat Advisory – CVE-2023-46158 – IBM WebSphere Application Server Liberty Vulnerability
November 5, 2023Rewterz Threat Advisory – Multiple Node.js Products Vulnerabilities
November 6, 2023Rewterz Threat Advisory – CVE-2023-46158 – IBM WebSphere Application Server Liberty Vulnerability
November 5, 2023Rewterz Threat Advisory – Multiple Node.js Products Vulnerabilities
November 6, 2023Severity
Medium
Analysis Summary
CVE-2023-39333 CVSS:5.3
Node.js could allow a remote attacker to gain unauthorized access to the system, caused by a code injection flaw. By using specially crafted export names in an imported WebAssembly module, an attacker could exploit this vulnerability to inject JavaScript code and gain access to restricted data and functions.
CVE-2023-38552 CVSS:5.3
Node.js could allow a remote attacker to bypass security restrictions, caused by the circumvention of integrity checks by the policy feature. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVE-2023-39332 CVSS:7.5
Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass using non-Buffer Uint8Array objects. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVE-2023-39331 CVSS:7.5
Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
Impact
- Gain Access
- Security Bypass
Indicators Of Compromise
CVE
- CVE-2023-39333
- CVE-2023-38552
- CVE-2023-39332
- CVE-2023-39331
Affected Vendors
Node.js
Affected Products
- Node.js 18.0
- Node.js 20.0
Remediation
Refer to Node.js Blog for patch, upgrade or suggested workaround information.