Bug 1227554 (CVE-2024-22020) - VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL
Summary: VUL-0: CVE-2024-22020: nodejs: bypass network import restriction via data URL
Status: NEW
Alias: CVE-2024-22020
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Adam Majer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/413047/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-22020:6.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-09 09:35 UTC by SMASH SMASH
Modified: 2024-07-17 08:30 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-09 09:35:21 UTC 
A security flaw in Node.js  allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22020
https://www.cve.org/CVERecord?id=CVE-2024-22020
https://hackerone.com/reports/2092749
https://bugzilla.redhat.com/show_bug.cgi?id=2296417
https://github.com/nodejs/node/pull/53764

Patch:
https://github.com/nodejs/node/pull/53764/commits/15c2d8d75ed8a431cb782d8af2a78a96e8f91f66
Comment 3 Maintenance Automation 2024-07-16 08:30:01 UTC 
SUSE-SU-2024:2496-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34774](https://smelt.suse.de/incident/34774/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.4-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-07-17 08:30:02 UTC 
SUSE-SU-2024:2543-1: An update that solves six vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1227554, 1227560, 1227561, 1227562, 1227563
CVE References: CVE-2024-22018, CVE-2024-22020, CVE-2024-27980, CVE-2024-36137, CVE-2024-36138, CVE-2024-37372
Maintenance Incident: [SUSE:Maintenance:34775](https://smelt.suse.de/incident/34775/)
Sources used:
openSUSE Leap 15.5 (src):
 nodejs20-20.15.1-150500.11.12.2
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.15.1-150500.11.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-07-17 08:30:06 UTC 
SUSE-SU-2024:2542-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34773](https://smelt.suse.de/incident/34773/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.4-150400.9.24.2
openSUSE Leap 15.5 (src):
 nodejs18-18.20.4-150400.9.24.2
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.4-150400.9.24.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.