CVE-2024-36137

Name
CVE-2024-36137
Description
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
NVD Severity
low
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://nodejs.org/en/blog/vulnerability/july-2024-security-releases

Match rules

CPE URI Source package Min version Max version
node >= 0 <= 20.15.0
node >= 0 <= 22.4.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nodejs edge-main 20.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.22-main 20.15.1-r0 None fixed
nodejs 3.21-main 20.15.1-r0 None fixed
nodejs 3.20-main 20.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nodejs 3.19-main 20.15.1-r0 Jakub Jirutka <jakub@jirutka.cz> fixed