UBUNTU-CVE-2024-36137

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-36137

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-36137.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-36137

Related

CVE-2024-36137

Published

2024-09-07T16:15:00Z

Modified

2025-06-03T08:54:05Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.

References

Affected packages

Ubuntu:24.10 / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@20.16.0+dfsg-1ubuntu1?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.16.0+dfsg-1ubuntu1

Affected versions

18.*

18.19.1+dfsg-6ubuntu5

18.20.1+dfsg-4ubuntu4

20.*

20.13.1+dfsg-2ubuntu6

20.14.0+dfsg-1ubuntu1

20.14.0+dfsg-2ubuntu1

20.14.0+dfsg-3ubuntu1

20.15.0+dfsg-1ubuntu3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "libnode-dev"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "libnode115"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "libnode115-dbgsym"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "nodejs"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "nodejs-dbgsym"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "nodejs-doc"
        }
    ]
}

Ubuntu:25.04 / nodejs

Package

Name: nodejs
Purl: pkg:deb/ubuntu/nodejs@20.16.0+dfsg-1ubuntu1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.16.0+dfsg-1ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "libnode-dev"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "libnode115"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "libnode115-dbgsym"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "nodejs"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "nodejs-dbgsym"
        },
        {
            "binary_version": "20.16.0+dfsg-1ubuntu1",
            "binary_name": "nodejs-doc"
        }
    ]
}