CVE-2024-21892

Published: 20/02/2024 Updated: 01/05/2024

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

Debian Bug report logs - #1064055 nodejs: CVE-2023-46809 CVE-2024-22019 CVE-2024-21892 Package: src:nodejs; Maintainer for src:nodejs is Debian Javascript Maintainers <pkg-javascript-devel@alioth-listsdebiannet>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Fri, 16 Feb 2024 14:30:02 UTC Severity: grave Ta ...

DescriptionA flaw was found in Nodejs On Linux, Nodejs ignores certain environment variables if they have been set by an unprivileged user while the process is running with elevated privileges, with the exception of CAP_NET_BIND_SERVICE Due to a bug in the implementation of this exception, Nodejs incorrectly applies this exception even ...

This posting is largely based on the NodeJS blog post at nodejsorg/en/blog/vulnerability/february-2024-security-releases with some edits and extras by me Please note that it still uses future tense to talk about the releases, which should actually have been made by now ====== Summary ====== The Nodejs project will release new version ...

https://hackerone.com/reports/2237545 https://security.netapp.com/advisory/ntap-20240322-0003/http://www.openwall.com/lists/oss-security/2024/03/11/1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064055 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2024-21892

CVE-2024-21892

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect