CVE-2024-36137
LOW3.3EPSS 0.10%發布日:2024/9/7修改日:2025/12/3
也稱為:ALPINE-CVE-2024-36137
描述
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
受影響套件(4)
- Alpine/nodejsfrom 0, < 20.15.1-r0
- Bitnami/node>= 20.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
- Bitnami/node-min>= 20.0.0, < 20.18.1, >= 21.0.0, < 22.12.0
- Debian/nodejsfrom 0, < 20.15.1+dfsg-1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
參考連結(5)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2024-36137
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-36137
- WEBhttps://nodejs.org/en/blog/vulnerability/july-2024-security-releases
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-36137
- WEBhttps://security.netapp.com/advisory/ntap-20241122-0005/