Red Hat: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model (Multiple Advisories)

Red Hat: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model (Multiple Advisories)

Severity

3

CVSS

(AV:L/AC:L/Au:S/C:P/I:P/A:N)

Published

09/07/2024

Created

09/14/2024

Added

09/13/2024

Modified

09/13/2024

Description

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.

Solution(s)

• redhat-upgrade-nodejs
• redhat-upgrade-nodejs-debuginfo
• redhat-upgrade-nodejs-debugsource
• redhat-upgrade-nodejs-devel
• redhat-upgrade-nodejs-docs
• redhat-upgrade-nodejs-full-i18n
• redhat-upgrade-nodejs-nodemon
• redhat-upgrade-nodejs-packaging
• redhat-upgrade-nodejs-packaging-bundler
• redhat-upgrade-npm

References

• CVE-2024-36137
• RHSA-2024:5814
• RHSA-2024:5815