#VU86728 Inconsistency between implementation and documented design in Node.js


Published: 2024-02-22

Vulnerability identifier: #VU86728

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21890

CWE-ID: CWE-1068

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper handling of wildcards in --allow-fs-read and --allow-fs-write. A remote attacker can gain access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 21.6.0 - 21.6.1, 21.5.0, 21.4.0, 20.11.0

External links
http://hackerone.com/reports/2257156
http://nodejs.org/en/blog/vulnerability/february-2024-security-releases

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace
Red Hat Enterprise Linux 9 update for the nodejs:20 module
Red Hat Enterprise Linux 8 update for nodejs:20
Multiple vulnerabilities in Oracle Linux
Oracle Solaris update for thrid-party components
Multiple vulnerabilities in IBM Voice Gateway
Multiple vulnerabilities in IBM Answer Retrieval for Watson Discovery
Multiple vulnerabilities in IBM Cloud Transformation Advisor
Multiple vulnerabilities in IBM Business Automation Workflow
SUSE update for nodejs20