Node.js Untrusted Search Path Vulnerability CVE-2023-23920 (<19.6.1)
CVE-2023-23920 Published on February 23, 2023

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-23920 is exploitable with local system access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

HIGH

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

What is an Untrusted Path Vulnerability?

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

CVE-2023-23920 has been classified to as an Untrusted Path vulnerability or weakness.

Products Associated with CVE-2023-23920

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-23920 are published in these products:

nodejs node.js

Debian Linux

Canonical Ubuntu Linux

Affected Versions

NodeJS Node:

Version 4.0 and below 4.* is affected.
Version 5.0 and below 5.* is affected.
Version 6.0 and below 6.* is affected.
Version 7.0 and below 7.* is affected.
Version 8.0 and below 8.* is affected.
Version 9.0 and below 9.* is affected.
Version 10.0 and below 10.* is affected.
Version 11.0 and below 11.* is affected.
Version 12.0 and below 12.* is affected.
Version 13.0 and below 13.* is affected.
Version 14.0 and below 14.21.3 is affected.
Version 15.0 and below 15.* is affected.
Version 16.0 and below 16.19.1 is affected.
Version 17.0 and below 17.* is affected.
Version 18.0 and below 18.14.1 is affected.
Version 19.0 and below 19.6.1 is affected.

Exploit Probability

EPSS

0.10%

Percentile

27.96%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.