Alerts This Week
Warning Icon 1 916
Alerts This Week
Warning Icon 1 916

SUSE: 2024:2574-1 Moderate: Nodejs20 Permissions Issue Fix

suse
Calendar Grey July 22, 2024
Dist Suse Esm H88
Node.js version 20 has a security patch addressing several moderate-risk vulnerabilities. Review your systems to find those affected and adhere to update guidelines
* bsc#1227554 * bsc#1227560 * bsc#1227561 * bsc#1227562 * bsc#1227563

Summary

## This update for nodejs20 fixes the following issues: Update to 20.15.1: * CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560) * CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554) * CVE-2024-22018: Fixed fs.lstat bypasses permission model (bsc#1227562) * CVE-2024-36137: Fixed fs.fchown/fchmod bypasses permission model (bsc#1227561) * CVE-2024-37372: Fixed Permission model improperly processes UNC paths (bsc#1227563) Changes in 20.15.0: * test_runner: support test plans * inspector: introduce the --inspect-wait flag * zlib: expose zlib.crc32() * cli: allow running wasm in limited vmem with --disable-wasm-trap-handler Changes in 20.14.0 * src,permission: throw async errors on async APIs * test_runner: support forced exit Changes in 20.13.1:

Topics%20covered

Topics Covered

security advisory moderate severity openSUSE Node.js scripting patch permission model

References

* bsc#1227554

* bsc#1227560

* bsc#1227561

* bsc#1227562

* bsc#1227563

Cross-

* CVE-2024-22018

* CVE-2024-22020

* CVE-2024-27980

* CVE-2024-36137

* CVE-2024-36138

* CVE-2024-37372

CVSS scores:

* CVE-2024-22018 ( SUSE ): 2.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

* CVE-2024-22020 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

* CVE-2024-36137 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected Products:

* openSUSE Leap 15.6

* SUSE Linux Enterprise Server 15 SP6

* SUSE Linux Enterprise Server for SAP Applications 15 SP6

* Web and Scripting Module 15-SP6

An update that solves six vulnerabilities can now be installed.

##

* https://www.suse.com/security/cve/CVE-2024-22018.html

* https://www.suse.com/security/cve/CVE-2024-22020.html

Announcement ID: SUSE-SU-2024:2574-1
Rating: moderate

Topics%20covered

Topics Covered

security advisory moderate severity openSUSE Node.js scripting patch permission model

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here