VDB
BIT-node-min-2024-21892
BIT-node-min-2024-21892
PUBLISHED
CVSS 7.800000190734863 HIGH
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
Risk Scores
CVSS 3.1
7.800000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | node-min | 0, 19.0.0, 21.0.0 |
Timeline
- Dec 16, 2024 CVE Published
- Feb 11, 2026 CVE Updated
References
- http://www.openwall.com/lists/oss-security/2024/03/11/1 url
- https://hackerone.com/reports/2237545 url
- https://security.netapp.com/advisory/ntap-20240322-0003/ url
- https://nvd.nist.gov/vuln/detail/CVE-2024-21892 url
- https://bugzilla.redhat.com/show_bug.cgi?id=2264582 url
- https://github.com/nodejs/node/commit/10ecf400679e04eddab940721cad3f6c1d603b61 url
- https://github.com/nodejs/node/commit/2a5a150772c6a41795314340c8697035a1b344b6 url
- https://github.com/nodejs/node/commit/b43171c6f669b2223064343e2c8472582586f727 url
- https://github.com/nodejs/node/commit/e6b4c105e0795fba8afb3f8e910c56ba9e60f4b5 url
- https://www.oracle.com/security-alerts/cpuapr2024.html url