Bug 1227562 (CVE-2024-22018)

Summary: VUL-0: CVE-2024-22018: nodejs: fs.lstat bypasses permission model
Product: [Novell Products] SUSE Security Incidents Reporter: Andrea Mattiazzo <andrea.mattiazzo>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2024-22018:2.8:(AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andrea Mattiazzo 2024-07-09 10:02:04 UTC 
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to.

This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 22.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Impact:

This vulnerability affects all users in active release lines: 22.x, 20.x

References:
https://nodejs.org/en/blog/vulnerability/july-2024-security-releases#fslstat-bypasses-permission-model-cve-2024-22018---low

Patch:
https://github.com/nodejs/node/commit/b9289a6e29e54beeaa3f781bde1195e48df0da75
Comment 3 Maintenance Automation 2024-07-17 08:30:02 UTC 
SUSE-SU-2024:2543-1: An update that solves six vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1227554, 1227560, 1227561, 1227562, 1227563
CVE References: CVE-2024-22018, CVE-2024-22020, CVE-2024-27980, CVE-2024-36137, CVE-2024-36138, CVE-2024-37372
Maintenance Incident: [SUSE:Maintenance:34775](https://smelt.suse.de/incident/34775/)
Sources used:
openSUSE Leap 15.5 (src):
 nodejs20-20.15.1-150500.11.12.2
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.15.1-150500.11.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.