CVE-2024-22018

EPSS 0.21%
Veröffentlicht 10.07.2024 02:15:03
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.
This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerNodeJS

≫

Produkt Node

Default Statusunaffected

Version 4.0

Version < 4.*

Status affected

Version 5.0

Version < 5.*

Status affected

Version 6.0

Version < 6.*

Status affected

Version 7.0

Version < 7.*

Status affected

Version 8.0

Version < 8.*

Status affected

Version 9.0

Version < 9.*

Status affected

Version 10.0

Version < 10.*

Status affected

Version 11.0

Version < 11.*

Status affected

Version 12.0

Version < 12.*

Status affected

Version 13.0

Version < 13.*

Status affected

Version 14.0

Version < 14.*

Status affected

Version 15.0

Version < 15.*

Status affected

Version 16.0

Version < 16.*

Status affected

Version 17.0

Version < 17.*

Status affected

Version 19.0

Version < 19.*

Status affected

Version 20.0

Version < 20.15.1

Status affected

Version 21.0

Version < 21.*

Status affected

Version 22.0

Version < 22.4.1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.434

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
support@hackerone.com	2.9	1.4	1.4	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Es wurden noch keine Informationen zu CWE veröffentlicht.

http://www.openwall.com/lists/oss-security/2024/07/11/6

http://www.openwall.com/lists/oss-security/2024/07/19/3

https://hackerone.com/reports/2145862

https://security.netapp.com/advisory/ntap-20240816-0007/

https://nvd.nist.gov/vuln/detail/CVE-2024-22018

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-22018

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-22018

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-22018