CVE-2023-23920

Description

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

How to fix CVE-2023-23920

To remediate CVE-2023-23920, upgrade the affected package to a fixed version below.

• Alpine/nodejs—upgrade to 14.21.3-r0 or later
• —upgrade to 14.21.3 or later
• —upgrade to 14.21.3 or later
• —upgrade to 12.22.12~dfsg-1~deb11u4 or later
• —upgrade to 12.22.12~dfsg-1~deb11u4 or later

Is CVE-2023-23920 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 14.21.3-r0
• >= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
• >= 14.0.0, < 14.21.3, >= 16.0.0, < 16.19.1, >= 18.0.0, < 18.14.1, >= 19.0.0, < 19.6.1
• from 0, < 12.22.12~dfsg-1~deb11u4
• from 0, < 12.22.12~dfsg-1~deb11u4

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-23920
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-23920
• WEBlists.debian.org/debian-lts-announce/2023/02/msg00038.html
• WEBnodejs.org/en/blog/vulnerability/february-2023-security-releases/