CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22017 – nodejs: setuid() does not drop all privileges due to io_uring
https://notcve.org/view.php?id=CVE-2024-22017
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21. setuid() no afecta las operaciones io_uring internas de libuv si se inicializa antes de la llamada a setuid(). Esto permite que el proceso realice operaciones privilegiadas a pesar de haber perdido dichos privilegios mediante una llamada a setuid(). Esta vulnerabilidad afecta a todos los usuarios que utilizan una versión mayor o igual a Node.js 18.18.0, Node.js 20.4.0 y Node.js 21. A flaw was found in Node.js, where the setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This issue allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2170226 https://security.netapp.com/advisory/ntap-20240517-0007 https://access.redhat.com/security/cve/CVE-2024-22017 https://bugzilla.redhat.com/show_bug.cgi?id=2265727 • CWE-250: Execution with Unnecessary Privileges CWE-269: Improper Privilege Management •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21896 – nodejs: path traversal by monkey-patching buffer internals
https://notcve.org/view.php?id=CVE-2024-21896
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. El modelo de permiso se protege contra ataques de path traversal llamando a path.resolve() en cualquier ruta proporcionada por el usuario. Si la ruta se va a tratar como un búfer, la implementación usa Buffer.from() para obtener un búfer a partir del resultado de path.resolve(). • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2218653 https://security.netapp.com/advisory/ntap-20240329-0002 https://access.redhat.com/security/cve/CVE-2024-21896 https://bugzilla.redhat.com/show_bug.cgi?id=2265717 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-27: Path Traversal: 'dir/../../filename' •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21890 – nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write
https://notcve.org/view.php?id=CVE-2024-21890
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. El modelo de permisos de Node.js no aclara en la documentación que los comodines solo deben usarse como último carácter de la ruta de un archivo. Por ejemplo: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` ignorará `pub` y dará acceso a todo lo que esté después de `.ssh/`. Esta documentación engañosa afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20 y Node.js 21. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2257156 https://security.netapp.com/advisory/ntap-20240315-0002 https://access.redhat.com/security/cve/CVE-2024-21890 https://bugzilla.redhat.com/show_bug.cgi?id=2265722 • CWE-1059: Insufficient Technical Documentation •
CVSS: 7.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21891 – nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization
https://notcve.org/view.php?id=CVE-2024-21891
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Node.js depende de múltiples funciones de utilidad integradas para normalizar las rutas proporcionadas a las funciones de node:fs, que pueden ser exageradas con implementaciones definidas por el usuario que conducen a la omisión del modelo de permisos del sistema de archivos mediante un ataque de path traversal. Esta vulnerabilidad afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20 y Node.js 21. Tenga en cuenta que en el momento en que se emitió este CVE, el modelo de permiso es una característica experimental de Node.js. A flaw was found in Node.js. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2259914 https://security.netapp.com/advisory/ntap-20240315-0005 https://access.redhat.com/security/cve/CVE-2024-21891 https://bugzilla.redhat.com/show_bug.cgi?id=2265720 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22019 – nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
https://notcve.org/view.php?id=CVE-2024-22019
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits. Una vulnerabilidad en los servidores HTTP de Node.js permite a un atacante enviar una solicitud HTTP especialmente manipulada con codificación fragmentada, lo que provoca el agotamiento de los recursos y la denegación de servicio (DoS). El servidor lee una cantidad ilimitada de bytes de una única conexión, aprovechando la falta de limitaciones en los bytes de extensión de fragmentos. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2233486 https://security.netapp.com/advisory/ntap-20240315-0004 https://access.redhat.com/security/cve/CVE-2024-22019 https://bugzilla.redhat.com/show_bug.cgi?id=2264574 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •