A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 13:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 09 Sep 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Sat, 07 Sep 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on file descriptors. However, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. | A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. |
References |
| |
Metrics |
cvssV3_0
|
Mon, 26 Aug 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat enterprise Linux |
|
CPEs | cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 |
|
Vendors & Products |
Redhat
Redhat enterprise Linux |
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2024-09-07T16:00:35.999Z
Updated: 2024-11-22T12:04:50.713Z
Reserved: 2024-05-21T01:04:07.208Z
Link: CVE-2024-36137
Vulnrichment
Updated: 2024-11-22T12:04:50.713Z
NVD
Status : Awaiting Analysis
Published: 2024-09-07T16:15:02.410
Modified: 2024-11-22T12:15:18.817
Link: CVE-2024-36137
Redhat