SUSE update for nodejs20

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU93882

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-22018

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to bypass permissions model.

The vulnerability exists due to application does not properly impose security restrictions when experimental permission model when the --allow-fs-read flag is used. A remote user can retrieve stats from files that they do not have explicit read access to.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP5

SUSE Linux Enterprise Server 15: SP5

SUSE Linux Enterprise High Performance Computing 15: SP5

openSUSE Leap: 15.5

nodejs20-docs: before 20.15.1-150500.11.12.2

nodejs20-debugsource: before 20.15.1-150500.11.12.2

nodejs20-devel: before 20.15.1-150500.11.12.2

npm20: before 20.15.1-150500.11.12.2

nodejs20-debuginfo: before 20.15.1-150500.11.12.2

nodejs20: before 20.15.1-150500.11.12.2

corepack20: before 20.15.1-150500.11.12.2

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:15-SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242543-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU93880

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-22020

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when handling non-network imports in data URLs. A remote user can bypass network import restrictions and execute arbitrary code.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP5

SUSE Linux Enterprise Server 15: SP5

SUSE Linux Enterprise High Performance Computing 15: SP5

openSUSE Leap: 15.5

nodejs20-docs: before 20.15.1-150500.11.12.2

nodejs20-debugsource: before 20.15.1-150500.11.12.2

nodejs20-devel: before 20.15.1-150500.11.12.2

npm20: before 20.15.1-150500.11.12.2

nodejs20-debuginfo: before 20.15.1-150500.11.12.2

nodejs20: before 20.15.1-150500.11.12.2

corepack20: before 20.15.1-150500.11.12.2

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:15-SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242543-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Command Injection

EUVDB-ID: #VU88462

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27980

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper handling of batch files in child_process.spawn / child_process.spawnSync. An attacker can inject a malicious command line argument and achieve code execution even if the shell option is not enabled.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP5

SUSE Linux Enterprise Server 15: SP5

SUSE Linux Enterprise High Performance Computing 15: SP5

openSUSE Leap: 15.5

nodejs20-docs: before 20.15.1-150500.11.12.2

nodejs20-debugsource: before 20.15.1-150500.11.12.2

nodejs20-devel: before 20.15.1-150500.11.12.2

npm20: before 20.15.1-150500.11.12.2

nodejs20-debuginfo: before 20.15.1-150500.11.12.2

nodejs20: before 20.15.1-150500.11.12.2

corepack20: before 20.15.1-150500.11.12.2

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:15-SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242543-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU93881

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-36137

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to application does not properly impose security restrictions in the experimental permission model when the --allow-fs-write flag is used. A remote user can change file ownership and permissions via fs.fchown and fs.fchmod.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP5

SUSE Linux Enterprise Server 15: SP5

SUSE Linux Enterprise High Performance Computing 15: SP5

openSUSE Leap: 15.5

nodejs20-docs: before 20.15.1-150500.11.12.2

nodejs20-debugsource: before 20.15.1-150500.11.12.2

nodejs20-devel: before 20.15.1-150500.11.12.2

npm20: before 20.15.1-150500.11.12.2

nodejs20-debuginfo: before 20.15.1-150500.11.12.2

nodejs20: before 20.15.1-150500.11.12.2

corepack20: before 20.15.1-150500.11.12.2

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:15-SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242543-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Command Injection

EUVDB-ID: #VU93879

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-36138

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper handling of batch files in child_process.spawn / child_process.spawnSync on Windows. An attacker can inject a malicious command line argument and achieve code execution even if the shell option is not enabled.

Note, the vulnerability exists due to incomplete fix for #VU88462 (CVE-2024-27980).

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP5

SUSE Linux Enterprise Server 15: SP5

SUSE Linux Enterprise High Performance Computing 15: SP5

openSUSE Leap: 15.5

nodejs20-docs: before 20.15.1-150500.11.12.2

nodejs20-debugsource: before 20.15.1-150500.11.12.2

nodejs20-devel: before 20.15.1-150500.11.12.2

npm20: before 20.15.1-150500.11.12.2

nodejs20-debuginfo: before 20.15.1-150500.11.12.2

nodejs20: before 20.15.1-150500.11.12.2

corepack20: before 20.15.1-150500.11.12.2

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:15-SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242543-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU93883

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-37372

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to bypass permissions model.

The vulnerability exists due to insufficient validation of UNC paths with backslashes. A remote user can bypass certain security restrictions.

Mitigation

Update the affected package nodejs20 to the latest version.

Vulnerable software versions

Web and Scripting Module: 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP5

SUSE Linux Enterprise Server 15: SP5

SUSE Linux Enterprise High Performance Computing 15: SP5

openSUSE Leap: 15.5

nodejs20-docs: before 20.15.1-150500.11.12.2

nodejs20-debugsource: before 20.15.1-150500.11.12.2

nodejs20-devel: before 20.15.1-150500.11.12.2

npm20: before 20.15.1-150500.11.12.2

nodejs20-debuginfo: before 20.15.1-150500.11.12.2

nodejs20: before 20.15.1-150500.11.12.2

corepack20: before 20.15.1-150500.11.12.2

CPE2.3

• cpe:2.3:o:suse:web_and_scripting_module:15-SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:
• cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:

External links

http://www.suse.com/support/update/announcement/2024/suse-su-20242543-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.