CVE-2024-24828 (GCVE-0-2024-24828)
Vulnerability from cvelistv5 – Published: 2024-02-09 22:21 – Updated: 2024-08-22 13:25
VLAI?
Summary
pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21’s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.
Severity ?
6.6 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54"
},
{
"name": "https://nodejs.org/api/single-executable-applications.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodejs.org/api/single-executable-applications.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:vercel:pkg:-:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "pkg",
"vendor": "vercel",
"versions": [
{
"lessThanOrEqual": "5.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T13:22:41.012365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T13:25:19.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pkg",
"vendor": "vercel",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276: Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T22:21:04.933Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54"
},
{
"name": "https://nodejs.org/api/single-executable-applications.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://nodejs.org/api/single-executable-applications.html"
}
],
"source": {
"advisory": "GHSA-22r3-9w55-cj54",
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation in execuatables bundled by pkg"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24828",
"datePublished": "2024-02-09T22:21:04.933Z",
"dateReserved": "2024-01-31T16:28:17.946Z",
"dateUpdated": "2024-08-22T13:25:19.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vercel:pkg:*:*:*:*:*:node.js:*:*\", \"versionEndIncluding\": \"5.8.1\", \"matchCriteriaId\": \"A83852BC-5291-4916-A376-52D0CB5766AE\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.\"}, {\"lang\": \"es\", \"value\": \"pkg es una herramienta de dise\\u00f1o para agrupar proyectos de Node.js en archivos ejecutables. Cualquier paquete de c\\u00f3digo nativo creado por `pkg` se escribe en un directorio codificado. En sistemas Unix, este es `/tmp/pkg/*` que es un directorio compartido para todos los usuarios en el mismo sistema local. Los nombres de los paquetes dentro de este directorio no son \\u00fanicos, son predecibles. Un atacante que tiene acceso al mismo sistema local tiene la capacidad de reemplazar los ejecutables genuinos en el directorio compartido con ejecutables maliciosos del mismo nombre. Luego, un usuario puede ejecutar el ejecutable malicioso sin darse cuenta de que ha sido modificado. Este paquete est\\u00e1 en desuso. Por lo tanto, no se proporcionar\\u00e1 ning\\u00fan parche para esta vulnerabilidad. Para verificar si su ejecutable compilado por pkg depende del c\\u00f3digo nativo y es vulnerable, ejecute el ejecutable y verifique si se cre\\u00f3 `/tmp/pkg/`. Los usuarios deben hacer la transici\\u00f3n a alternativas mantenidas activamente. Recomendamos investigar la compatibilidad de Node.js 21 con aplicaciones ejecutables \\u00fanicas. Dada la decisi\\u00f3n de dejar de usar el paquete pkg, nuestro equipo no ha proporcionado soluciones ni soluciones oficiales. Los usuarios deben priorizar la migraci\\u00f3n a otros paquetes que ofrezcan funciones similares con seguridad mejorada.\"}]",
"id": "CVE-2024-24828",
"lastModified": "2024-11-21T08:59:48.197",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 6.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
"published": "2024-02-09T23:15:09.837",
"references": "[{\"url\": \"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nodejs.org/api/single-executable-applications.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://nodejs.org/api/single-executable-applications.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-276\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-24828\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-09T23:15:09.837\",\"lastModified\":\"2024-11-21T08:59:48.197\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.\"},{\"lang\":\"es\",\"value\":\"pkg es una herramienta de dise\u00f1o para agrupar proyectos de Node.js en archivos ejecutables. Cualquier paquete de c\u00f3digo nativo creado por `pkg` se escribe en un directorio codificado. En sistemas Unix, este es `/tmp/pkg/*` que es un directorio compartido para todos los usuarios en el mismo sistema local. Los nombres de los paquetes dentro de este directorio no son \u00fanicos, son predecibles. Un atacante que tiene acceso al mismo sistema local tiene la capacidad de reemplazar los ejecutables genuinos en el directorio compartido con ejecutables maliciosos del mismo nombre. Luego, un usuario puede ejecutar el ejecutable malicioso sin darse cuenta de que ha sido modificado. Este paquete est\u00e1 en desuso. Por lo tanto, no se proporcionar\u00e1 ning\u00fan parche para esta vulnerabilidad. Para verificar si su ejecutable compilado por pkg depende del c\u00f3digo nativo y es vulnerable, ejecute el ejecutable y verifique si se cre\u00f3 `/tmp/pkg/`. Los usuarios deben hacer la transici\u00f3n a alternativas mantenidas activamente. Recomendamos investigar la compatibilidad de Node.js 21 con aplicaciones ejecutables \u00fanicas. Dada la decisi\u00f3n de dejar de usar el paquete pkg, nuestro equipo no ha proporcionado soluciones ni soluciones oficiales. Los usuarios deben priorizar la migraci\u00f3n a otros paquetes que ofrezcan funciones similares con seguridad mejorada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:pkg:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"5.8.1\",\"matchCriteriaId\":\"A83852BC-5291-4916-A376-52D0CB5766AE\"}]}]}],\"references\":[{\"url\":\"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nodejs.org/api/single-executable-applications.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://nodejs.org/api/single-executable-applications.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\", \"name\": \"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://nodejs.org/api/single-executable-applications.html\", \"name\": \"https://nodejs.org/api/single-executable-applications.html\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:28:12.933Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-24828\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-22T13:22:41.012365Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:vercel:pkg:-:*:*:*:*:node.js:*:*\"], \"vendor\": \"vercel\", \"product\": \"pkg\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.8.1\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-22T13:25:15.425Z\"}}], \"cna\": {\"title\": \"Local Privilege Escalation in execuatables bundled by pkg\", \"source\": {\"advisory\": \"GHSA-22r3-9w55-cj54\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"vercel\", \"product\": \"pkg\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 5.8.1\"}]}], \"references\": [{\"url\": \"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\", \"name\": \"https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://nodejs.org/api/single-executable-applications.html\", \"name\": \"https://nodejs.org/api/single-executable-applications.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-276\", \"description\": \"CWE-276: Incorrect Default Permissions\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-09T22:21:04.933Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-24828\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-22T13:25:19.053Z\", \"dateReserved\": \"2024-01-31T16:28:17.946Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-09T22:21:04.933Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…