CVE-2024-21890

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 20 through 21

Description The issue is related to the Node.js Permission Model, which has misleading documentation regarding the use of wildcards in file paths. Specifically, the documentation does not clarify that wildcards should only be used as the last character of a file path. For example, the command --allow-fs-read=/home/node/.ssh/*.pub will ignore pub and give access to everything after .ssh/. This affects all users using the experimental permission model in the affected Node.js versions.

Recommendations For Node.js versions 20 through 21, consider avoiding the use of wildcards in file paths until the documentation is clarified or updated. As a temporary workaround, ensure that wildcards are only used as the last character of a file path to prevent unintended access. Restrict access to sensitive files and directories to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1059

Related Identifiers

ALSA-2024:1687

ALSA-2024:1688

ALT-PU-2024-3054

AZL-35900

BDU:2024-04471

BIT-NODE-2024-21890

BIT-NODE-MIN-2024-21890

CESA-2024_1687

CVE-2024-21890

OPENSUSE-SU-2024:13697-1

OPENSUSE-SU-2024:13698-1

RHSA-2024:1687

RHSA-2024:1688

RHSA-2024_1687

RHSA-2024_1688

RLSA-2024:1687

RLSA-2024:1688

SUSE-SU-2024:0643-1

Affected Products

Alt Linux

Almalinux

Centos

Node.Js

Red Hat

Rocky Linux

Suse

CVE-2024-21890

Weakness Enumeration

Related Identifiers

Affected Products

References · 82