cve-2024-21896
Vulnerability from cvelistv5
Published
2024-02-20 01:31
Modified
2024-08-27 15:48
Summary
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Impacted products
Node.jsNode.js
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:35:33.412Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/2218653"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240329-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "nodejs",
            "vendor": "nodejs",
            "versions": [
              {
                "status": "affected",
                "version": "21.6.1"
              },
              {
                "status": "unaffected",
                "version": "20.11.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21896",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-12T04:00:41.699700Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-27",
                "description": "CWE-27 Path Traversal: \u0027dir/../../filename\u0027",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-27T15:48:13.167Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Node.js",
          "vendor": "Node.js",
          "versions": [
            {
              "lessThanOrEqual": "21.6.1",
              "status": "affected",
              "version": "21.6.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "20.11.0",
              "status": "unaffected",
              "version": "20.11.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.9,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/CR:M/IR:M/AR:M",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-20T01:31:08.176Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/2218653"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240329-0002/"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2024-21896",
    "datePublished": "2024-02-20T01:31:08.176Z",
    "dateReserved": "2024-01-03T01:04:06.539Z",
    "dateUpdated": "2024-08-27T15:48:13.167Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-21896\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2024-02-20T02:15:50.770\",\"lastModified\":\"2024-08-27T16:35:07.720\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.\\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.\"},{\"lang\":\"es\",\"value\":\"El modelo de permiso se protege contra ataques de path traversal llamando a path.resolve() en cualquier ruta proporcionada por el usuario. Si la ruta se va a tratar como un b\u00fafer, la implementaci\u00f3n usa Buffer.from() para obtener un b\u00fafer a partir del resultado de path.resolve(). Al parchear los componentes internos del Buffer, es decir, Buffer.prototype.utf8Write, la aplicaci\u00f3n puede modificar el resultado de path.resolve(), lo que conduce a una vulnerabilidad de path traversal. Esta vulnerabilidad afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20 y Node.js 21. Tenga en cuenta que en el momento en que se emiti\u00f3 este CVE, el modelo de permiso es una caracter\u00edstica experimental de Node.js.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.9,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.5,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-27\"}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/11/1\",\"source\":\"support@hackerone.com\"},{\"url\":\"https://hackerone.com/reports/2218653\",\"source\":\"support@hackerone.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240329-0002/\",\"source\":\"support@hackerone.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.