CVE-2024-22018 – nodejs: fs.lstat bypasses permission model
https://notcve.org/view.php?id=CVE-2024-22018
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Se ha identificado una vulnerabilidad en Node.js que afecta a los usuarios del modelo de permisos experimental cuando se utiliza el indicador --allow-fs-read. Este fallo surge de un modelo de permisos inadecuado que no logra restringir las estadísticas de archivos a través de la API fs.lstat. Como resultado, los actores malintencionados pueden recuperar estadísticas de archivos a los que no tienen acceso de lectura explícito. • http://www.openwall.com/lists/oss-security/2024/07/11/6 http://www.openwall.com/lists/oss-security/2024/07/19/3 https://hackerone.com/reports/2145862 https://access.redhat.com/security/cve/CVE-2024-22018 https://bugzilla.redhat.com/show_bug.cgi?id=2296990 •
CVE-2024-22020 – nodejs: Bypass network import restriction via data URL
https://notcve.org/view.php?id=CVE-2024-22020
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. Un fallo de seguridad en Node.js permite eludir las restricciones de importación de la red. Al incorporar importaciones fuera de la red en las URL de datos, un atacante puede ejecutar código arbitrario, comprometiendo la seguridad del sistema. Verificada en varias plataformas, la vulnerabilidad se mitiga al prohibir las URL de datos en las importaciones de red. La explotación de este fallo puede violar la seguridad de importación de la red, lo que representa un riesgo para los desarrolladores y servidores. • http://www.openwall.com/lists/oss-security/2024/07/11/6 http://www.openwall.com/lists/oss-security/2024/07/19/3 https://hackerone.com/reports/2092749 https://access.redhat.com/security/cve/CVE-2024-22020 https://bugzilla.redhat.com/show_bug.cgi?id=2296417 • CWE-284: Improper Access Control •
CVE-2024-3566 – Command injection vulnerability in programing languages on Microsoft Windows operating system.
https://notcve.org/view.php?id=CVE-2024-3566
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied. • https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows https://kb.cert.org/vuls/id/123335 https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way https://www.cve.org/CVERecord?id=CVE-2024-1874 https://www.cve.org/CVERecord?id=CVE-2024-22423 https://www.cve.org/CVERecord?id=CVE-2024-24576 https://www.kb.cert.org/vuls/id/123335 •
CVE-2024-22025 – nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service
https://notcve.org/view.php?id=CVE-2024-22025
A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration. Se ha identificado una vulnerabilidad en Node.js, que permite un ataque de denegación de servicio (DoS) por agotamiento de recursos cuando se utiliza la función fetch() para recuperar contenido de una URL que no es de confianza. La vulnerabilidad surge del hecho de que la función fetch() en Node.js siempre decodifica Brotli, lo que hace posible que un atacante provoque el agotamiento de los recursos al recuperar contenido de una URL que no es de confianza. Un atacante que controle la URL pasada a fetch() puede aprovechar esta vulnerabilidad para agotar la memoria, lo que podría provocar la terminación del proceso, según la configuración del sistema. A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. • https://hackerone.com/reports/2284065 https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html https://security.netapp.com/advisory/ntap-20240517-0008 https://access.redhat.com/security/cve/CVE-2024-22025 https://bugzilla.redhat.com/show_bug.cgi?id=2270559 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •
CVE-2024-21896 – nodejs: path traversal by monkey-patching buffer internals
https://notcve.org/view.php?id=CVE-2024-21896
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. El modelo de permiso se protege contra ataques de path traversal llamando a path.resolve() en cualquier ruta proporcionada por el usuario. Si la ruta se va a tratar como un búfer, la implementación usa Buffer.from() para obtener un búfer a partir del resultado de path.resolve(). • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://hackerone.com/reports/2218653 https://security.netapp.com/advisory/ntap-20240329-0002 https://access.redhat.com/security/cve/CVE-2024-21896 https://bugzilla.redhat.com/show_bug.cgi?id=2265717 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-27: Path Traversal: 'dir/../../filename' •