Bug 1227554 (CVE-2024-22020)

Summary: VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/413047/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-22020:6.5:(AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-09 09:35:21 UTC 
A security flaw in Node.js  allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22020
https://www.cve.org/CVERecord?id=CVE-2024-22020
https://hackerone.com/reports/2092749
https://bugzilla.redhat.com/show_bug.cgi?id=2296417
https://github.com/nodejs/node/pull/53764

Patch:
https://github.com/nodejs/node/pull/53764/commits/15c2d8d75ed8a431cb782d8af2a78a96e8f91f66
Comment 3 Maintenance Automation 2024-07-16 08:30:01 UTC 
SUSE-SU-2024:2496-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34774](https://smelt.suse.de/incident/34774/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.4-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-07-17 08:30:02 UTC 
SUSE-SU-2024:2543-1: An update that solves six vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1227554, 1227560, 1227561, 1227562, 1227563
CVE References: CVE-2024-22018, CVE-2024-22020, CVE-2024-27980, CVE-2024-36137, CVE-2024-36138, CVE-2024-37372
Maintenance Incident: [SUSE:Maintenance:34775](https://smelt.suse.de/incident/34775/)
Sources used:
openSUSE Leap 15.5 (src):
 nodejs20-20.15.1-150500.11.12.2
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.15.1-150500.11.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-07-17 08:30:06 UTC 
SUSE-SU-2024:2542-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34773](https://smelt.suse.de/incident/34773/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.4-150400.9.24.2
openSUSE Leap 15.5 (src):
 nodejs18-18.20.4-150400.9.24.2
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.4-150400.9.24.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.