CVE-2024-22018

EPSS 0.16%
Veröffentlicht 10.07.2024 02:15:03
Zuletzt bearbeitet 21.11.2024 08:55:24
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.
This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerNodeJS

≫

Produkt Node

Default Statusunaffected

Version < 4.*

Version 4.0

Status affected

Version < 5.*

Version 5.0

Status affected

Version < 6.*

Version 6.0

Status affected

Version < 7.*

Version 7.0

Status affected

Version < 8.*

Version 8.0

Status affected

Version < 9.*

Version 9.0

Status affected

Version < 10.*

Version 10.0

Status affected

Version < 11.*

Version 11.0

Status affected

Version < 12.*

Version 12.0

Status affected

Version < 13.*

Version 13.0

Status affected

Version < 14.*

Version 14.0

Status affected

Version < 15.*

Version 15.0

Status affected

Version < 16.*

Version 16.0

Status affected

Version < 17.*

Version 17.0

Status affected

Version < 19.*

Version 19.0

Status affected

Version < 20.15.1

Version 20.0

Status affected

Version < 21.*

Version 21.0

Status affected

Version < 22.4.1

Version 22.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.37

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
support@hackerone.com	2.9	1.4	1.4	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

http://www.openwall.com/lists/oss-security/2024/07/11/6

http://www.openwall.com/lists/oss-security/2024/07/19/3

https://hackerone.com/reports/2145862

https://security.netapp.com/advisory/ntap-20240816-0007/

https://nvd.nist.gov/vuln/detail/CVE-2024-22018

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-22018

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-22018

EUVD