CVE-2023-30585

{"id": "CVE-2023-30585", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-11-28T02:15:42.077", "references": [{"url": "https://nodejs.org/en/blog/vulnerability/june-2023-security-releases", "tags": ["Vendor Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the \"msiexec.exe\" process, running under the NT AUTHORITY\\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry.\n\nThe issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the \"msiexec.exe\" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations.\n\nThe severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or \"non-privileged\") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged \"msiexec.exe\" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations.\n\nIt is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. Users who opt for other installation methods are not affected by this particular issue."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en el proceso de instalaci\u00f3n de Node.js (versi\u00f3n .msi), que afecta espec\u00edficamente a los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Esta vulnerabilidad surge durante la operaci\u00f3n de reparaci\u00f3n, donde el proceso \"msiexec.exe\", que se ejecuta en el contexto NT AUTHORITY\\SYSTEM, intenta leer la variable de entorno %USERPROFILE% del registro del usuario actual. El problema surge cuando la ruta a la que hace referencia la variable de entorno %USERPROFILE% no existe. En tales casos, el proceso \"msiexec.exe\" intenta crear la ruta especificada de forma insegura, lo que podr\u00eda provocar la creaci\u00f3n de carpetas arbitrarias en ubicaciones arbitrarias. La gravedad de esta vulnerabilidad se ve aumentada por el hecho de que los usuarios est\u00e1ndar (o \"sin privilegios\") pueden modificar la variable de entorno %USERPROFILE% en el registro de Windows. En consecuencia, los actores no privilegiados, incluidas entidades maliciosas o troyanos, pueden manipular la clave de la variable de entorno para enga\u00f1ar al proceso privilegiado \"msiexec.exe\". Esta manipulaci\u00f3n puede dar como resultado la creaci\u00f3n de carpetas en ubicaciones no deseadas y potencialmente maliciosas. Es importante tener en cuenta que esta vulnerabilidad es espec\u00edfica de los usuarios de Windows que instalan Node.js utilizando el instalador .msi. Los usuarios que optan por otros m\u00e9todos de instalaci\u00f3n no se ven afectados por este problema en particular."}], "lastModified": "2023-12-02T04:39:59.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E7F6F9A-AF9F-453B-870D-1E8759567F29", "versionEndExcluding": "16.20.1", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3AA02CEF-5AC5-46F7-94DE-D9EA15678AE7", "versionEndExcluding": "18.16.1", "versionStartIncluding": "18.0.0"}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAA23E6-4930-4326-9CB0-AEE5013BFD37", "versionEndExcluding": "20.3.1", "versionStartIncluding": "20.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}