CVE-2024-21890

CWE-10597 documents7 sources
Severity
6.5MEDIUM
EPSS
1.4%
top 19.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs NodeNodejs Node.js
Timeline
PublishedFeb 20

Description

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

CVEListV5nodejs/node4.04.*+16
NVDnodejs/node.js20.0.020.11.1+1

🔴Vulnerability Details

3
OSV
CVE-2024-21890: The Node2024-02-20
GHSA
GHSA-m27w-wvc9-v4mq: The Node2024-02-20
CVEList
CVE-2024-21890: The Node2024-02-20

📋Vendor Advisories

3
Red Hat
nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write2024-02-19
Microsoft
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` 2024-02-13
Debian
CVE-2024-21890: nodejs - The Node.js Permission Model does not clarify in the documentation that wildcard...2024
CVE-2024-21890 (MEDIUM CVSS 6.5) | The Node.js Permission Model does n | cvebase.io