CVE-2024-21896

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS v3 7.9 HIGH

7.9^/10

CVSS v3 : HIGH

Vector : AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Exploitability : 1.5 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/03/11/1
https://hackerone.com/reports/2218653
https://security.netapp.com/advisory/ntap-20240329-0002/
http://www.openwall.com/lists/oss-security/2024/03/11/1
https://hackerone.com/reports/2218653
https://security.netapp.com/advisory/ntap-20240329-0002/

Configurations

No configuration.

History

21 Nov 2024, 08:55

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2024/03/11/1 -~~	() http://www.openwall.com/lists/oss-security/2024/03/11/1 -
References	~~() https://hackerone.com/reports/2218653 -~~	() https://hackerone.com/reports/2218653 -
References	~~() https://security.netapp.com/advisory/ntap-20240329-0002/ -~~	() https://security.netapp.com/advisory/ntap-20240329-0002/ -

27 Aug 2024, 16:35

Type	Values Removed	Values Added
CWE		CWE-27

01 May 2024, 18:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2024/03/11/1 -

29 Mar 2024, 13:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240329-0002/ -

20 Feb 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-20 02:15

Updated : 2024-11-21 08:55

NVD link : CVE-2024-21896

Mitre link : CVE-2024-21896

CVE.ORG link : CVE-2024-21896

JSON object : View

Products Affected

No product.

CWE

CWE-27

Path Traversal: 'dir/../../filename'

{"id": "CVE-2024-21896", "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.9, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.5}]}, "published": "2024-02-20T02:15:50.770", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/2218653", "source": "support@hackerone.com"}, {"url": "https://security.netapp.com/advisory/ntap-20240329-0002/", "source": "support@hackerone.com"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/11/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2218653", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240329-0002/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-27"}]}], "descriptions": [{"lang": "en", "value": "The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.\nThis vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.\nPlease note that at the time this CVE was issued, the permission model is an experimental feature of Node.js."}, {"lang": "es", "value": "El modelo de permiso se protege contra ataques de path traversal llamando a path.resolve() en cualquier ruta proporcionada por el usuario. Si la ruta se va a tratar como un b\u00fafer, la implementaci\u00f3n usa Buffer.from() para obtener un b\u00fafer a partir del resultado de path.resolve(). Al parchear los componentes internos del Buffer, es decir, Buffer.prototype.utf8Write, la aplicaci\u00f3n puede modificar el resultado de path.resolve(), lo que conduce a una vulnerabilidad de path traversal. Esta vulnerabilidad afecta a todos los usuarios que utilizan el modelo de permiso experimental en Node.js 20 y Node.js 21. Tenga en cuenta que en el momento en que se emiti\u00f3 este CVE, el modelo de permiso es una caracter\u00edstica experimental de Node.js."}], "lastModified": "2024-11-21T08:55:13.107", "sourceIdentifier": "support@hackerone.com"}