CVE-2024-21890
First published: Tue Feb 20 2024(Updated: )
Node.js could allow a remote attacker to bypass security restrictions, caused by the improper handling of wildcards in --allow-fs-read and --allow-fs-write. An attacker could exploit this vulnerability to gain access to the system.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <20.11.1 | 20.11.1 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
| Node.js | >=20.0.0<20.11.1 | |
| Node.js | >=21.0.0<21.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2265723
- https://access.redhat.com/errata/RHSA-2024:1688
- https://access.redhat.com/errata/RHSA-2024:1687
- https://bugzilla.redhat.com/show_bug.cgi?id=2265722
- http://www.openwall.com/lists/oss-security/2024/03/11/1
- https://hackerone.com/reports/2257156
- https://security.netapp.com/advisory/ntap-20240315-0002/
- https://www.ibm.com/support/pages/node/7173592 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-21890?
CVE-2024-21890 has been rated as a high severity vulnerability due to its potential to allow remote attackers to bypass security restrictions.
How do I fix CVE-2024-21890?
To fix CVE-2024-21890, update Node.js to version 20.11.1 or apply the relevant patches from IBM for Cognos Analytics.
What versions of Node.js are affected by CVE-2024-21890?
CVE-2024-21890 affects versions of Node.js prior to 20.11.1.
What types of attacks can exploit CVE-2024-21890?
CVE-2024-21890 can be exploited by remote attackers to gain unauthorized access to the system due to improper handling of wildcards.
Is there documentation clarifying the Node.js Permission Model related to CVE-2024-21890?
The Node.js Permission Model lacks clear documentation regarding the handling of permission flags, which is part of the problem outlined in CVE-2024-21890.
- agent/type
- agent/first-publish-date
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-21890
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/references
- agent/description
- agent/trending
- agent/source
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp3
- vendor/nodejs
- canonical/node.js
- version/node.js/20.0.0
- version/node.js/21.0.0