A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
History

Fri, 22 Nov 2024 13:00:00 +0000

Type Values Removed Values Added
References

Mon, 09 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 07 Sep 2024 16:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on file descriptors. However, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
References
Metrics cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


Mon, 26 Aug 2024 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2024-09-07T16:00:35.999Z

Updated: 2024-11-22T12:04:50.713Z

Reserved: 2024-05-21T01:04:07.208Z

Link: CVE-2024-36137

cve-icon Vulnrichment

Updated: 2024-11-22T12:04:50.713Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-07T16:15:02.410

Modified: 2024-11-22T12:15:18.817

Link: CVE-2024-36137

cve-icon Redhat

Severity : Low

Publid Date: 2024-07-08T00:00:00Z

Links: CVE-2024-36137 - Bugzilla