CVE-2024-22020 – nodejs: Bypass network import restriction via data URL
https://notcve.org/view.php?id=CVE-2024-22020
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. Un fallo de seguridad en Node.js permite eludir las restricciones de importación de la red. Al incorporar importaciones fuera de la red en las URL de datos, un atacante puede ejecutar código arbitrario, comprometiendo la seguridad del sistema. Verificada en varias plataformas, la vulnerabilidad se mitiga al prohibir las URL de datos en las importaciones de red. La explotación de este fallo puede violar la seguridad de importación de la red, lo que representa un riesgo para los desarrolladores y servidores. • http://www.openwall.com/lists/oss-security/2024/07/11/6 http://www.openwall.com/lists/oss-security/2024/07/19/3 https://hackerone.com/reports/2092749 https://access.redhat.com/security/cve/CVE-2024-22020 https://bugzilla.redhat.com/show_bug.cgi?id=2296417 • CWE-284: Improper Access Control •
CVE-2024-3566 – Command injection vulnerability in programing languages on Microsoft Windows operating system.
https://notcve.org/view.php?id=CVE-2024-3566
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. • https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows https://kb.cert.org/vuls/id/123335 https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way https://www.cve.org/CVERecord?id=CVE-2024-1874 https://www.cve.org/CVERecord?id=CVE-2024-22423 https://www.cve.org/CVERecord?id=CVE-2024-24576 https://www.kb.cert.org/vuls/id/123335 •
CVE-2024-22025 – nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service
https://notcve.org/view.php?id=CVE-2024-22025
A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration. Se ha identificado una vulnerabilidad en Node.js, que permite un ataque de denegación de servicio (DoS) por agotamiento de recursos cuando se utiliza la función fetch() para recuperar contenido de una URL que no es de confianza. La vulnerabilidad surge del hecho de que la función fetch() en Node.js siempre decodifica Brotli, lo que hace posible que un atacante provoque el agotamiento de los recursos al recuperar contenido de una URL que no es de confianza. Un atacante que controle la URL pasada a fetch() puede aprovechar esta vulnerabilidad para agotar la memoria, lo que podría provocar la terminación del proceso, según la configuración del sistema. A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. • https://hackerone.com/reports/2284065 https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html https://security.netapp.com/advisory/ntap-20240517-0008 https://access.redhat.com/security/cve/CVE-2024-22025 https://bugzilla.redhat.com/show_bug.cgi?id=2270559 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •
CVE-2024-21892 – nodejs: code injection and privilege escalation through Linux capabilities
https://notcve.org/view.php?id=CVE-2024-21892
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges. En Linux, Node.js ignora ciertas variables de entorno si pueden haber sido configuradas por un usuario sin privilegios mientras el proceso se ejecuta con privilegios elevados con la única excepción de CAP_NET_BIND_SERVICE. Debido a un error en la implementación de esta excepción, Node.js aplica incorrectamente esta excepción incluso cuando se han configurado otras capacidades. Esto permite a los usuarios sin privilegios inyectar código que hereda los privilegios elevados del proceso. A flaw was found in Node.js. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2237545 https://security.netapp.com/advisory/ntap-20240322-0003 https://access.redhat.com/security/cve/CVE-2024-21892 https://bugzilla.redhat.com/show_bug.cgi?id=2264582 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-39333 – nodejs: code injection via WebAssembly export names
https://notcve.org/view.php?id=CVE-2023-39333
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. • https://nodejs.org/en/blog/vulnerability/october-2023-security-releases https://access.redhat.com/security/cve/CVE-2023-39333 https://bugzilla.redhat.com/show_bug.cgi?id=2244418 • CWE-94: Improper Control of Generation of Code ('Code Injection') •