The description of CVE-2023-39332 says it only affects Node 20:
This vulnerability affects all users using the experimental permission model in Node.js 20
However, the Known Affected Software Configurations section indicates that all Node versions are affected.
The security release blog post mentions patches to both Node 18 and 20, however the CVE is only mentioned in Node 20's changelog and not Node 18's changelog.
The reason I ask is because our security scanning tool is flagging this CVE in our Node 18 images. I'm guessing this is because Node 18 is listed as an affected version even though that seems to be inaccurate. It seems our only recourse is to configure our scanner to ignore the CVE for Node 18.
Sometimes vulnerability reports are inaccurate and, as a consequence, scanning tools give inaccurate results. Sometimes inaccuracies are corrected over time, in other cases the report is simply marked as "DISPUTED" (see, for example, CVE-2022-40160, CVE-2023-39017 and CVE-2023-35116) or even "REJECTED" (see CVE-2022-41852) and it is not obvious what a scanning tool should do in these cases; for example the OWASP Dependency Check still reports the CVEs that I linked above. Note, in particular, that the "DISPUTED" and "REJECTED" labels are in the textual description of the reports that cannot be easily managed by an automatic tool.
For CVE-2023-39332 I tried to collect informations from various sources (as I always do in these cases) and found even more contradictions than the ones you already noted. My findings are:
In conclusion, if your tool reports CVE-2023-39332 on Node 18, I think it is a false positive.