Server JavaScript Platform Node.js Fixes Multiple Vulnerabilities
The server JavaScript platform Node.js has addressed several issues in its latest releases: node.js 21.6.2, 20.11.1, and 18.19.1. These releases have fixed a total of 8 vulnerabilities, including 4 that are classified as high-risk.
- CVE-2024-21892: This vulnerability allows an attacker to substitute an unvalidated user and inherit expanded privileges during the workflow. The vulnerability is caused by an error in the implementation of an exception. It enables the processing of environment variables set by an unwitting user with advanced privileges. The exception was intended only for CAP_NET_BID_SERVICE powers but was mistakenly applied to other capabilities.
- CVE-2024-22019: This vulnerability leads to a denial of service condition by overloading the CPU and consuming throughput while processing a Chunked-request in the built-in HTTP server. It allows an attacker to read an unlimited number of bytes through a single connection.
- CVE-2024-21896: This vulnerability enables unauthorized access to the base directory in file tracks. By bypassing the normalization of file tracks using Path.Resolve(), an attacker can replace the contents after the execution of Path.Resolve() through the use of the BUFFER.Prototype.utf8write call.
- CVE-2024-22017: The “Setuid()” call fails to discard all privileges, specifically affecting IO_URING operations initialized before the Setuid() call in LIBUV.
- CVE-2023-46809: This vulnerability exists
/Reports, release notes, official announcements.