Bugzilla – Bug 1227561
VUL-0: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model
Last modified: 2024-07-17 08:30:02 UTC
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 22. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Impact: This vulnerability affects all users in active release lines: 22.x, 20.x References: https://nodejs.org/en/blog/vulnerability/july-2024-security-releases#fsfchownfchmod-bypasses-permission-model-cve-2024-36137---low Patch: https://github.com/nodejs/node/commit/01e9eac91234100bff0151c70caa84c110910081
SUSE-SU-2024:2543-1: An update that solves six vulnerabilities can now be installed. Category: security (moderate) Bug References: 1227554, 1227560, 1227561, 1227562, 1227563 CVE References: CVE-2024-22018, CVE-2024-22020, CVE-2024-27980, CVE-2024-36137, CVE-2024-36138, CVE-2024-37372 Maintenance Incident: [SUSE:Maintenance:34775](https://smelt.suse.de/incident/34775/) Sources used: openSUSE Leap 15.5 (src): nodejs20-20.15.1-150500.11.12.2 Web and Scripting Module 15-SP5 (src): nodejs20-20.15.1-150500.11.12.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.