Directory Traversal Affecting npm package, versions <1:10.1.0-1.20.8.1.1.module+el8.9.0+90082+b6a613a6
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ORACLE8-NPM-6084007
- published 24 Nov 2023
- disclosed 18 Oct 2023
Introduced: 18 Oct 2023
CVE-2023-39331 Open this link in a new tabHow to fix?
Upgrade Oracle:8 npm to version 1:10.1.0-1.20.8.1.1.module+el8.9.0+90082+b6a613a6 or higher.
This issue was patched in ELSA-2023-7205.
NVD Description
Note: Versions mentioned in the description apply only to the upstream npm package and not the npm package as distributed by Oracle.
See How to fix? for Oracle:8 relevant fixed versions and status.
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
References
- https://linux.oracle.com/cve/CVE-2023-39331.html
- https://linux.oracle.com/errata/ELSA-2023-7205.html
- https://hackerone.com/reports/2092852
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
- https://security.netapp.com/advisory/ntap-20231116-0009/