cve-2023-30585
Vulnerability from cvelistv5
Published
2023-11-28 01:23
Modified
2024-08-02 14:28
Severity ?
Summary
A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged "msiexec.exe" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.
Impacted products
Node.jsNode.js
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:28:51.579Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Node.js",
          "vendor": "Node.js",
          "versions": [
            {
              "lessThan": "16.20.1",
              "status": "affected",
              "version": "16.20.1",
              "versionType": "semver"
            },
            {
              "lessThan": "18.16.1",
              "status": "affected",
              "version": "18.16.1",
              "versionType": "semver"
            },
            {
              "lessThan": "20.3.1",
              "status": "affected",
              "version": "20.3.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the \"msiexec.exe\" process, running under the NT AUTHORITY\\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user\u0027s registry.\n\nThe issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the \"msiexec.exe\" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations.\n\nThe severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or \"non-privileged\") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged \"msiexec.exe\" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations.\n\nIt is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-28T01:23:08.734Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2023-30585",
    "datePublished": "2023-11-28T01:23:08.734Z",
    "dateReserved": "2023-04-13T01:00:12.086Z",
    "dateUpdated": "2024-08-02T14:28:51.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-30585\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2023-11-28T02:15:42.077\",\"lastModified\":\"2023-12-02T04:39:59.250\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the \\\"msiexec.exe\\\" process, running under the NT AUTHORITY\\\\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user\u0027s registry.\\n\\nThe issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the \\\"msiexec.exe\\\" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations.\\n\\nThe severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or \\\"non-privileged\\\") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged \\\"msiexec.exe\\\" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations.\\n\\nIt is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue.\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad en el proceso de instalaci\u00f3n de Node.js (versi\u00f3n .msi), que afecta espec\u00edficamente a los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Esta vulnerabilidad surge durante la operaci\u00f3n de reparaci\u00f3n, donde el proceso \\\"msiexec.exe\\\", que se ejecuta en el contexto NT AUTHORITY\\\\SYSTEM, intenta leer la variable de entorno %USERPROFILE% del registro del usuario actual. El problema surge cuando la ruta a la que hace referencia la variable de entorno %USERPROFILE% no existe. En tales casos, el proceso \\\"msiexec.exe\\\" intenta crear la ruta especificada de forma insegura, lo que podr\u00eda provocar la creaci\u00f3n de carpetas arbitrarias en ubicaciones arbitrarias. La gravedad de esta vulnerabilidad se ve aumentada por el hecho de que los usuarios est\u00e1ndar (o \\\"sin privilegios\\\") pueden modificar la variable de entorno %USERPROFILE% en el registro de Windows. En consecuencia, los actores no privilegiados, incluidas entidades maliciosas o troyanos, pueden manipular la clave de la variable de entorno para enga\u00f1ar al proceso privilegiado \\\"msiexec.exe\\\". Esta manipulaci\u00f3n puede dar como resultado la creaci\u00f3n de carpetas en ubicaciones no deseadas y potencialmente maliciosas. Es importante tener en cuenta que esta vulnerabilidad es espec\u00edfica de los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Los usuarios que optan por otros m\u00e9todos de instalaci\u00f3n no se ven afectados por este problema en particular.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.20.1\",\"matchCriteriaId\":\"7E7F6F9A-AF9F-453B-870D-1E8759567F29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"18.0.0\",\"versionEndExcluding\":\"18.16.1\",\"matchCriteriaId\":\"3AA02CEF-5AC5-46F7-94DE-D9EA15678AE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.3.1\",\"matchCriteriaId\":\"1CAA23E6-4930-4326-9CB0-AEE5013BFD37\"}]}]}],\"references\":[{\"url\":\"https://nodejs.org/en/blog/vulnerability/june-2023-security-releases\",\"source\":\"support@hackerone.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.