1219994 – (CVE-2024-21896) VUL-0: CVE-2024-21896: nodejs20: Path traversal by monkey-patching Buffer internals

Bug 1219994 (CVE-2024-21896) - VUL-0: CVE-2024-21896: nodejs20: Path traversal by monkey-patching Buffer internals

Summary: VUL-0: CVE-2024-21896: nodejs20: Path traversal by monkey-patching Buffer int...

Status:	RESOLVED FIXED

Alias:	CVE-2024-21896

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/394351/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-21896:7.0:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-16 08:36 UTC by SMASH SMASH
Modified:	2024-06-06 12:19 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-16 08:36:34 UTC

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/

Path traversal by monkey-patching Buffer internals (CVE-2024-21896) - (High)

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve().

By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability.

Impacts:

    This vulnerability affects all users using the experimental permission model in active release lines: 20.x and 21.x.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Thank you, to Tobias Nießen for reporting this vulnerability and for fixing it.

Comment 1 OBSbugzilla Bot 2024-02-16 17:15:10 UTC

This is an autogenerated message for OBS integration:
This bug (1219994) was mentioned in
https://build.opensuse.org/request/show/1147152 Factory / nodejs20
https://build.opensuse.org/request/show/1147153 Factory / nodejs21

Comment 3 Maintenance Automation 2024-02-28 12:30:13 UTC

SUSE-SU-2024:0643-1: An update that solves 10 vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1219152, 1219724, 1219992, 1219993, 1219994, 1219995, 1219997, 1219998, 1219999, 1220014, 1220017
CVE References: CVE-2023-46809, CVE-2024-21890, CVE-2024-21891, CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806
Sources used:
openSUSE Leap 15.5 (src): nodejs20-20.11.1-150500.11.6.1
Web and Scripting Module 15-SP5 (src): nodejs20-20.11.1-150500.11.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Alexander Bergmann 2024-06-06 12:19:43 UTC

Fixed and released.