Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-21892

Опубликовано: 20 фев. 2024
Источник: nvd
CVSS3: 7.5
CVSS3: 7.8
EPSS Низкий

Описание

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одновременно

Одно из

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
Версия от 18.0.0 (включая) до 18.19.1 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
Версия от 20.0.0 (включая) до 20.11.1 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
Версия от 21.0.0 (включая) до 21.6.2 (исключая)
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

EPSS

Процентиль: 44%
0.00213
Низкий

7.5 High

CVSS3

7.8 High

CVSS3

Дефекты

CWE-94
CWE-269

Связанные уязвимости

ubuntu логотип

CVE-2024-21892

CVSS3: 7.8
ubuntu
больше 1 года назад

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

redhat логотип

CVE-2024-21892

CVSS3: 8.1
redhat
больше 1 года назад

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

msrc логотип

CVE-2024-21892

CVSS3: 7.8
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2024-21892

CVSS3: 7.8
debian
больше 1 года назад

On Linux, Node.js ignores certain environment variables if those may h ...

github логотип

GHSA-f27j-4f6g-jp27

CVSS3: 7.5
github
больше 1 года назад

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.

EPSS

Процентиль: 44%
0.00213
Низкий

7.5 High

CVSS3

7.8 High

CVSS3

Дефекты

CWE-94
CWE-269