Bug 1227563 (CVE-2024-37372)

Summary:	VUL-0: CVE-2024-37372: nodejs: permission model improperly processes UNC paths
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andrea Mattiazzo <andrea.mattiazzo>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	amajer
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andrea Mattiazzo 2024-07-09 10:04:22 UTC

The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

This vulnerability affects Windows users of the Node.js Permission Model in version v22.x and v20.x

Impact:

This vulnerability affects all users in active release lines: 22.x, 20.x

References:
https://nodejs.org/en/blog/vulnerability/july-2024-security-releases#permission-model-improperly-processes-unc-paths-cve-2024-37372---low

Comment 1 Andrea Mattiazzo 2024-07-09 10:04:49 UTC

Closing since it affects only windows users.

Comment 3 Maintenance Automation 2024-07-17 08:30:02 UTC

SUSE-SU-2024:2543-1: An update that solves six vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1227554, 1227560, 1227561, 1227562, 1227563
CVE References: CVE-2024-22018, CVE-2024-22020, CVE-2024-27980, CVE-2024-36137, CVE-2024-36138, CVE-2024-37372
Maintenance Incident: [SUSE:Maintenance:34775](https://smelt.suse.de/incident/34775/)
Sources used:
openSUSE Leap 15.5 (src):
 nodejs20-20.15.1-150500.11.12.2
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.15.1-150500.11.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.