SecuritySpace - CVE-2024-21896

Vulnerability Search		Search 324607 CVE descriptions and 146377 test descriptions, access 10,000+ cross references.
	Tests CVE All

CVE ID: CVE-2024-21896

Description: The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Test IDs: None available

Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2024-21896
https://hackerone.com/reports/2218653
https://hackerone.com/reports/2218653
http://www.openwall.com/lists/oss-security/2024/03/11/1

CVE ID:	CVE-2024-21896
Description:	The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Test IDs:	None available
Cross References:	Common Vulnerability Exposure (CVE) ID: CVE-2024-21896 https://hackerone.com/reports/2218653 https://hackerone.com/reports/2218653 http://www.openwall.com/lists/oss-security/2024/03/11/1