CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21890 – nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write
https://notcve.org/view.php?id=CVE-2024-21890
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. El modelo de permisos de Node.js no aclara en la documentación que los comodines solo deben usarse como último carácter de la ruta de un archivo. Por ejemplo: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` ignorará `pub` y dará acceso a todo lo que esté después de `.ssh/`. Esta documentación engañosa afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20 y Node.js 21. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2257156 https://security.netapp.com/advisory/ntap-20240315-0002 https://access.redhat.com/security/cve/CVE-2024-21890 https://bugzilla.redhat.com/show_bug.cgi?id=2265722 • CWE-1059: Insufficient Technical Documentation •
CVSS: 7.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21891 – nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization
https://notcve.org/view.php?id=CVE-2024-21891
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Node.js depende de múltiples funciones de utilidad integradas para normalizar las rutas proporcionadas a las funciones de node:fs, que pueden ser exageradas con implementaciones definidas por el usuario que conducen a la omisión del modelo de permisos del sistema de archivos mediante un ataque de path traversal. Esta vulnerabilidad afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20 y Node.js 21. Tenga en cuenta que en el momento en que se emitió este CVE, el modelo de permiso es una característica experimental de Node.js. A flaw was found in Node.js. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2259914 https://security.netapp.com/advisory/ntap-20240315-0005 https://access.redhat.com/security/cve/CVE-2024-21891 https://bugzilla.redhat.com/show_bug.cgi?id=2265720 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22019 – nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
https://notcve.org/view.php?id=CVE-2024-22019
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits. Una vulnerabilidad en los servidores HTTP de Node.js permite a un atacante enviar una solicitud HTTP especialmente manipulada con codificación fragmentada, lo que provoca el agotamiento de los recursos y la denegación de servicio (DoS). El servidor lee una cantidad ilimitada de bytes de una única conexión, aprovechando la falta de limitaciones en los bytes de extensión de fragmentos. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2233486 https://security.netapp.com/advisory/ntap-20240315-0004 https://access.redhat.com/security/cve/CVE-2024-22019 https://bugzilla.redhat.com/show_bug.cgi?id=2264574 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-21892 – nodejs: code injection and privilege escalation through Linux capabilities
https://notcve.org/view.php?id=CVE-2024-21892
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges. En Linux, Node.js ignora ciertas variables de entorno si pueden haber sido configuradas por un usuario sin privilegios mientras el proceso se ejecuta con privilegios elevados con la única excepción de CAP_NET_BIND_SERVICE. Debido a un error en la implementación de esta excepción, Node.js aplica incorrectamente esta excepción incluso cuando se han configurado otras capacidades. Esto permite a los usuarios sin privilegios inyectar código que hereda los privilegios elevados del proceso. A flaw was found in Node.js. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2237545 https://security.netapp.com/advisory/ntap-20240322-0003 https://access.redhat.com/security/cve/CVE-2024-21892 https://bugzilla.redhat.com/show_bug.cgi?id=2264582 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-39333 – nodejs: code injection via WebAssembly export names
https://notcve.org/view.php?id=CVE-2023-39333
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. • https://nodejs.org/en/blog/vulnerability/october-2023-security-releases https://access.redhat.com/security/cve/CVE-2023-39333 https://bugzilla.redhat.com/show_bug.cgi?id=2244418 • CWE-94: Improper Control of Generation of Code ('Code Injection') •