Node.js 20 Privilege Escalation Vulnerability in OpenSSL Engine
CVE-2023-30586

7.5HIGH

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 1 July 2023

What is CVE-2023-30586?

A privilege escalation vulnerability in Node.js 20 allows for the loading of arbitrary OpenSSL engines when the experimental permission model is activated. This vulnerability enables attackers to bypass and even disable the permission model, which could lead to unauthorized actions within the application. Specifically, the crypto.setEngine() API can manipulate the permission model's settings by interacting with compatible OpenSSL engines, potentially disabling safeguards within the host process. Attackers can exploit this flaw by accessing and altering sensitive stack memory locations, creating a serious security concern, particularly as the permission model is still in its experimental stage.

Affected Version(s)

Node 4.0 < 4.*

Node 5.0 < 5.*

Node 6.0 < 6.*

References

https://hackerone.com/reports/1954535

https://security.netapp.com/advisory/ntap-20230803-0008/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2023
Vulnerability Reserved
Apr 13, 2023

Nodejs

What is CVE-2023-30586?

Affected Version(s)

References

CVSS V3.1

Timeline