Bug 2296417 (CVE-2024-22020) - CVE-2024-22020 nodejs: Bypass network import restriction via data URL
Summary: CVE-2024-22020 nodejs: Bypass network import restriction via data URL
Keywords:
Status: NEW
Alias: CVE-2024-22020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2296456 2296457
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-09 02:20 UTC by OSIDB Bzimport
Modified: 2024-09-05 14:55 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Node.js package. By embedding non-network imports in data URLs, this flaw allows an attacker to execute arbitrary code, compromising system security.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:5900 0 None None None 2024-08-27 13:46:35 UTC
Red Hat Product Errata RHBA-2024:5925 0 None None None 2024-08-28 10:06:12 UTC
Red Hat Product Errata RHBA-2024:5947 0 None None None 2024-08-28 16:06:19 UTC
Red Hat Product Errata RHBA-2024:5950 0 None None None 2024-08-28 17:05:23 UTC
Red Hat Product Errata RHBA-2024:5954 0 None None None 2024-08-28 17:37:21 UTC
Red Hat Product Errata RHBA-2024:6154 0 None None None 2024-09-03 05:23:08 UTC
Red Hat Product Errata RHBA-2024:6231 0 None None None 2024-09-03 14:24:01 UTC
Red Hat Product Errata RHBA-2024:6431 0 None None None 2024-09-05 14:55:06 UTC
Red Hat Product Errata RHSA-2024:5814 0 None None None 2024-08-26 08:29:03 UTC
Red Hat Product Errata RHSA-2024:5815 0 None None None 2024-08-26 08:06:23 UTC
Red Hat Product Errata RHSA-2024:6147 0 None None None 2024-09-03 02:22:56 UTC
Red Hat Product Errata RHSA-2024:6148 0 None None None 2024-09-03 02:24:56 UTC

Description OSIDB Bzimport 2024-07-09 02:20:14 UTC
A security flaw in Node.js  allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers.

Comment 1 errata-xmlrpc 2024-08-26 08:06:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:5815 https://access.redhat.com/errata/RHSA-2024:5815

Comment 2 errata-xmlrpc 2024-08-26 08:29:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5814 https://access.redhat.com/errata/RHSA-2024:5814

Comment 3 errata-xmlrpc 2024-09-03 02:22:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6147 https://access.redhat.com/errata/RHSA-2024:6147

Comment 4 errata-xmlrpc 2024-09-03 02:24:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6148 https://access.redhat.com/errata/RHSA-2024:6148


Note You need to log in before you can comment on or make changes to this bug.