AZL-43213

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-43213.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-43213

Upstream

CVE-2024-22018

Published

2024-07-10T02:15:03Z

Modified

2026-04-01T05:15:01.089657Z

Summary

CVE-2024-22018 affecting package nodejs 20.14.0-13

Details

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-22018

Affected packages

Azure Linux:3 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/azure-linux/nodejs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

20.14.0-13

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-43213.json"