CVE-2023-23920

Published Feb 16, 2023

Updated

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

Affected Software

19 affected componentsFixes available

redhat/nodejs<18-9020020230327152102.rhel9

18-9020020230327152102.rhel9

redhat/nodejs<1:16.19.1-1.el9_2

1:16.19.1-1.el9_2

redhat/nodejs<1:16.20.2-1.el9_0

1:16.20.2-1.el9_0

redhat/rh-nodejs14<0:3.6-2.el7

0:3.6-2.el7

redhat/rh-nodejs14-nodejs<0:14.21.3-2.el7

0:14.21.3-2.el7

redhat/Node.js<19.6.1

19.6.1

redhat/Node.js<18.14.1

18.14.1

redhat/Node.js<16.19.1

16.19.1

redhat/Node.js<14.21.3

14.21.3

debian/nodejs

12.22.12~dfsg-1~deb11u412.22.12~dfsg-1~deb11u518.19.0+dfsg-6~deb12u218.19.0+dfsg-6~deb12u120.17.0+dfsg-2

IBM Cognos Controller<=11.0.0 - 11.0.1

Nodejs Node.js>=14.0.0<=14.14.0

Nodejs Node.js>=14.0.0<14.21.3

Nodejs Node.js>=16.0.0<=16.12.0

Nodejs Node.js>=16.0.0<16.19.1

Nodejs Node.js>=18.0.0<=18.11.0

Nodejs Node.js>=18.0.0<18.14.1

Nodejs Node.js>=19.0.0<19.6.1

Debian Debian Linux=10.0

Remediation

Patch Available

https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/

Event History

Feb 16, 2023

CVE Published

12:00 AM

Feb 23, 2023

CVE Published

via MITRE·12:00 AM

Data Sourced

via MITRE·12:00 AM

DescriptionWeakness

Mar 4, 2024

Data Sourced

via Launchpad·12:30 PM

Description

Sep 16, 2024

Data Sourced

via Ubuntu·12:58 PM

RemedyDescriptionSeverityAffected Software

CVSS Score

4.2Medium

Medium Severity

AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

Security Metrics

Risk Score25

Severitymedium(4.2)

CWE

426

Timeline

PublishedFeb 16, 2023

Updated

References

+20 more references

Parent Advisories

Tags

collector/redhat-cveagent/typeagent/first-publish-dateagent/remedyagent/weaknesscollector/redhat-bugzillasource/Red Hatalias/CVE-2023-23920agent/software-canonical-lookupcollector/launchpad-cvesource/Launchpadagent/authorcollector/usn-cvesource/Ubuntuagent/descriptionagent/eventcollector/security-tracker-debiansource/Debianagent/referencesagent/severityagent/trendingagent/sourcecollector/ibm-supportsource/IBMagent/software-canonical-lookup-requestcollector/mitre-cvesource/MITREagent/last-modified-datecollector/nvd-apisource/NVDcollector/nvd-cvecollector/nvd-indexagent/tagsagent/softwarecombineagent/risk-scorepackage-manager/redhatpackage-manager/debianvendor/ibmcanonical/ibm cognos controllerversion/ibm cognos controller/11.0.0 - 11.0.1vendor/nodejscanonical/langgenius dify node.jsversion/langgenius dify node.js/14.0.0version/langgenius dify node.js/14.14.0version/langgenius dify node.js/16.0.0version/langgenius dify node.js/16.12.0version/langgenius dify node.js/18.0.0version/langgenius dify node.js/18.11.0version/langgenius dify node.js/19.0.0vendor/debiancanonical/debian linuxversion/debian linux/10.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

CVE-2023-23920 - SecAlerts

CVE-2023-23920

Affected Software

Remediation

Patch Available

Event History

Don't miss critical vulnerabilities

Company

Resources

Contact