Lucene search

K

[email protected]NVD:CVE-2024-22018

HistoryJul 10, 2024 - 2:15 a.m.

CVE-2024-22018

2024-07-1002:15:03

[email protected]

web.nvd.nist.gov

12

node.js

experimental permission model

inadequate permission

file stats

fs.lstat api

malicious actors

explicit read access

cve-2024-22018

CVSS3

2.9

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0

Percentile

16.0%

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.
This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References

www.openwall.com/lists/oss-security/2024/07/11/6

www.openwall.com/lists/oss-security/2024/07/19/3

hackerone.com/reports/2145862

CVSS3

2.9

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0

Percentile

16.0%

Related for NVD:CVE-2024-22018

ubuntucve1 osv9 hackerone1 alpinelinux1 debiancve1 vulnrichment1 cve1 redhatcve1 wolfi1 cvelist1 almalinux2 rocky2 oraclelinux2 redhat2 openvas3 nessus9 photon1 nodejsblog1 mageia1 f51 ibm1