Vulnerability CVE-2024-21890: Information

Description

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

URL: https://nvd.nist.gov/vuln/detail/CVE-2024-21890
Published: Feb. 20, 2024
Modified: March 15, 2024

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
nodesisyphus20.11.1-alt120.12.1-alt1ALT-PU-2024-3054-1340942Fixed
nodesisyphus_riscv6420.12.0-alt120.12.1-alt1ALT-PU-2024-5928-1-Fixed
nodesisyphus_loongarch6420.11.1-alt120.12.1-alt1ALT-PU-2024-3136-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://hackerone.com/reports/2257156
    https://security.netapp.com/advisory/ntap-20240315-0002/
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.4.2
      Back to top