Unprivileged Users Can Inject Code with Elevated Privileges in Node.js Due to Bug
CVE-2024-21892

7.8HIGH

Key Information:

Vendor

Node.js

Status
Node.js
Vendor
CVE Published:
20 February 2024

What is CVE-2024-21892?

A security vulnerability in Node.js on Linux systems allows unprivileged users to manipulate environment variables that can lead to code injection with inherited elevated privileges. The issue arises when the Node.js process fails to correctly validate environment variables set by unprivileged users while running with elevated privileges, except for CAP_NET_BIND_SERVICE. Due to a bug in handling this exception, other capabilities can unintentionally permit the injection of malicious code, potentially compromising system security and integrity. This issue emphasizes the need for enhanced security measures within Node.js implementations to prevent escalation of privileges.

Affected Version(s)

Node.js 21.6.0

Node.js 20.11.0

Node.js 18.19.0

References

https://hackerone.com/reports/2237545
https://security.netapp.com/advisory/ntap-20240322-0003/
http://www.openwall.com/lists/oss-security/2024/03/11/1

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.