[Git][security-tracker-team/security-tracker][master] CVE-2024-22020/nodejs
Bastien Roucariès (@rouca)
rouca at debian.org
Fri Sep 13 21:17:29 BST 2024
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3c017593 by Bastien Roucariès at 2024-09-13T20:16:20+00:00
CVE-2024-22020/nodejs
This CVE need --experimental-network-imports introduced in 18.
According to https://nodejs.org/en/blog/announcements/v18-release-announce
> Notable milestones include adding experimental support for JSON Import Assertions, the unflagging of JSON modules (experimental), and experimental support for HTTPS and HTTP imports.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -16400,9 +16400,12 @@ CVE-2024-36137 (A vulnerability has been identified in Node.js, affecting users
NOTE: https://nodejs.org/en/blog/vulnerability/july-2024-security-releases#fsfchownfchmod-bypasses-permission-model-cve-2024-36137---low
CVE-2024-22020 (A security flaw in Node.js allows a bypass of network import restrict ...)
- nodejs 20.15.1+dfsg-1
+ [bookworm] - nodejs <not-affected> (Feature was introduced in NodeJS 18)
+ [bullseye] - nodejs <not-affected> (Feature was introduced in NodeJS 18)
NOTE: https://nodejs.org/en/blog/vulnerability/july-2024-security-releases#bypass-network-import-restriction-via-data-url-cve-2024-22020---medium
NOTE: https://hackerone.com/reports/2092749
NOTE: Fixed by https://github.com/nodejs/node/pull/53764/commits/15c2d8d75ed8a431cb782d8af2a78a96e8f91f66
+ NOTE: Experimental HTTPS and HTTP imports was introduced in 18 see https://nodejs.org/en/blog/announcements/v18-release-announce
CVE-2024-6580 (The /n software IPWorks SSH library SFTPServer component can be induce ...)
NOT-FOR-US: /n software IPWorks SSH library SFTPServer component
CVE-2024-6564 (Buffer overflow in "rcar_dev_init" due to using due to using untruste ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c017593e67f6df94f538eee8db4fa7aa76266bc
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c017593e67f6df94f538eee8db4fa7aa76266bc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240913/01a09157/attachment.htm>
More information about the debian-security-tracker-commits
mailing list