CVE-2023-45311 - OpenCVE

fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Fsevents Project	Fsevents

Configuration 1 [-]

cpe:2.3:a:fsevents_project:fsevents:*:*:*:*:*:node.js:*:*

References

Link	Resource
https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902	Exploit Vendor Advisory
https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153	Exploit Vendor Advisory
https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512	Exploit Vendor Advisory
https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494	Exploit Vendor Advisory
https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267	Exploit Vendor Advisory
https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737	Exploit Vendor Advisory
https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11	Patch Vendor Advisory
https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-10-06T00:00:00

Updated: 2023-11-28T07:03:17.341448

Reserved: 2023-10-06T00:00:00

Link: CVE-2023-45311

JSON object: View

NVD Information

Status : Modified

Published: 2023-10-06T21:15:10.940

Modified: 2023-11-28T07:15:43.260

Link: CVE-2023-45311

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fsevents_project:fsevents:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FA1FB339-2134-48A1-A7B7-8EF049BC43AE", "versionEndExcluding": "1.2.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary."}, {"lang": "es", "value": "fsevents anterior a 1.2.11 depende de la URL https://fsevents-binaries.s3-us-west-2.amazonaws.com, lo que podr\u00eda permitir a un adversario ejecutar c\u00f3digo arbitrario si alg\u00fan proyecto JavaScript (que depende de fsevents) distribuye c\u00f3digo que se obtuvo de esa URL en un momento en que estaba controlada por un adversario."}], "id": "CVE-2023-45311", "lastModified": "2023-11-28T07:15:43.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-06T21:15:10.940", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11"}, {"source": "cve@mitre.org", "url": "https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}