(RHSA-2024:5815) Moderate: nodejs:20 security update

2024-08-2607:11:46

access.redhat.com

node.js

security update

cve-2024-22020

cve-2024-22018

cve-2024-36137

unix

CVSS3

6.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

Percentile

16.3%

JSON

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

nodejs: Bypass network import restriction via data URL (CVE-2024-22020)
nodejs: fs.lstat bypasses permission model (CVE-2024-22018)
nodejs: fs.fchown/fchmod bypasses permission model (CVE-2024-36137)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

OSVersionArchitecturePackageVersionFilename
RedHatanyx86_64nodejs< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHatanyaarch64npm< 10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127npm-10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127.aarch64.rpm
RedHatanyx86_64nodejs-debugsource< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-debugsource-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHatanynoarchnodejs-nodemon< 3.0.1-1.module+el9.3.0.z+20478+84a9f781nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm
RedHatanys390xnodejs-devel< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-devel-20.16.0-1.module+el9.4.0+22197+9e60f127.s390x.rpm
RedHatanyx86_64nodejs-full-i18n< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-full-i18n-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHatanyx86_64nodejs-debuginfo< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-debuginfo-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHatanynoarchnodejs-docs< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-docs-20.16.0-1.module+el9.4.0+22197+9e60f127.noarch.rpm
RedHatanyaarch64nodejs-debuginfo< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-debuginfo-20.16.0-1.module+el9.4.0+22197+9e60f127.aarch64.rpm
RedHatanyppc64lenodejs-debuginfo< 20.16.0-1.module+el9.4.0+22197+9e60f127nodejs-debuginfo-20.16.0-1.module+el9.4.0+22197+9e60f127.ppc64le.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	any	x86_64	nodejs	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHat	any	aarch64	npm	< 10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127	npm-10.8.1-1.20.16.0.1.module+el9.4.0+22197+9e60f127.aarch64.rpm
RedHat	any	x86_64	nodejs-debugsource	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-debugsource-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHat	any	noarch	nodejs-nodemon	< 3.0.1-1.module+el9.3.0.z+20478+84a9f781	nodejs-nodemon-3.0.1-1.module+el9.3.0.z+20478+84a9f781.noarch.rpm
RedHat	any	s390x	nodejs-devel	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-devel-20.16.0-1.module+el9.4.0+22197+9e60f127.s390x.rpm
RedHat	any	x86_64	nodejs-full-i18n	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-full-i18n-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHat	any	x86_64	nodejs-debuginfo	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-debuginfo-20.16.0-1.module+el9.4.0+22197+9e60f127.x86_64.rpm
RedHat	any	noarch	nodejs-docs	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-docs-20.16.0-1.module+el9.4.0+22197+9e60f127.noarch.rpm
RedHat	any	aarch64	nodejs-debuginfo	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-debuginfo-20.16.0-1.module+el9.4.0+22197+9e60f127.aarch64.rpm
RedHat	any	ppc64le	nodejs-debuginfo	< 20.16.0-1.module+el9.4.0+22197+9e60f127	nodejs-debuginfo-20.16.0-1.module+el9.4.0+22197+9e60f127.ppc64le.rpm