PatchSiren cyber security CVE debrief
CVE-2023-32003 NodeJS CVE debrief
CVE-2023-32003 is a path traversal vulnerability in Node.js 20's experimental permission model that allows directory creation outside intended boundaries. The flaw exists in `fs.mkdtemp()` and `fs.mkdtempSync()` APIs due to missing path traversal checks. Siemens SINEC INS is affected through its Node.js dependency. The vulnerability has a CVSS 3.1 score of 5.3 (MEDIUM) with network attack vector, low complexity, no privileges required, and no user interaction needed. The impact is limited to integrity (low) with no confidentiality or availability impact. This CVE was published on November 12, 2024, and is not listed in CISA's Known Exploited Vulnerabilities catalog. The experimental nature of Node.js's permission model at the time of disclosure means production deployments with this feature enabled were limited. Siemens has released a vendor fix in SINEC INS V1.0 SP2 Update 3.
- Vendor
- NodeJS
- Product
- SINEC INS
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2024-03-12
- Advisory published
- 2024-02-13
- Advisory updated
- 2024-03-12
Who should care
Organizations running Siemens SINEC INS with Node.js 20 experimental permission model enabled, industrial control system operators, Node.js developers using experimental security features, and security teams monitoring ICS supply chain dependencies.
Technical summary
The vulnerability stems from insufficient path validation in Node.js 20's `fs.mkdtemp()` and `fs.mkdtempSync()` functions when the experimental permission model is active. An attacker can exploit this by providing directory paths containing traversal sequences (e.g., `../`) to create directories outside the intended scope, bypassing permission checks. The attack requires network access to an application using the vulnerable API with the experimental permission model enabled. The Siemens SINEC INS product incorporates the affected Node.js component, exposing industrial control environments to this integrity impact vulnerability.
Defensive priority
medium
Recommended defensive actions
- Apply Siemens vendor fix: Update SINEC INS to V1.0 SP2 Update 3 or later version
- Review Node.js permission model configurations if experimental features are enabled
- Validate directory creation permissions in application security policies
- Monitor CISA ICS advisories for related industrial control system guidance
Evidence notes
CVE description confirms path traversal via fs.mkdtemp() APIs in Node.js 20 experimental permission model. CISA CSAF advisory ICSA-24-319-08 confirms Siemens SINEC INS affected product with vendor fix available. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N indicates network-exploitable with integrity impact only. No KEV entry present.
Official resources
-
CVE-2023-32003 CVE record
CVE.org
-
CVE-2023-32003 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12