Search for vulnerabilities
Vulnerability details: VCID-dwjz-y3em-aaam
Vulnerability ID VCID-dwjz-y3em-aaam
Aliases CVE-2023-38552
Summary When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-345 Insufficient Verification of Data Authenticity
CWE-354 Improper Validation of Integrity Check Value
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38552.json
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00267 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00275 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.00688 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01253 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01253 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01345 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01345 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01345 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01345 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01350 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
epss 0.01463 https://api.first.org/data/v1/epss?cve=CVE-2023-38552
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
ssvc Track https://hackerone.com/reports/2094235
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-38552
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-38552
ssvc Track https://security.netapp.com/advisory/ntap-20231116-0013/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38552.json
https://api.first.org/data/v1/epss?cve=CVE-2023-38552
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/2094235
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
https://security.netapp.com/advisory/ntap-20231116-0013/
1054892 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054892
2244415 https://bugzilla.redhat.com/show_bug.cgi?id=2244415
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
CVE-2023-38552 https://nvd.nist.gov/vuln/detail/CVE-2023-38552
GLSA-202505-11 https://security.gentoo.org/glsa/202505-11
RHSA-2023:5849 https://access.redhat.com/errata/RHSA-2023:5849
RHSA-2023:5869 https://access.redhat.com/errata/RHSA-2023:5869
RHSA-2023:7205 https://access.redhat.com/errata/RHSA-2023:7205
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38552.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://hackerone.com/reports/2094235
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38552
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38552
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-20T15:14:02Z/ Found at https://security.netapp.com/advisory/ntap-20231116-0013/
Exploit Prediction Scoring System (EPSS)
Percentile 0.34758
EPSS Score 0.00137
Published At April 15, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.