Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2024-749)

medium Nessus Plugin ID 210001

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-749 advisory.

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. (CVE-2024-22018)

A security flaw in Node.js allows a bypass of network import restrictions.By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.Exploiting this flaw can violate network import security, posing a risk to developers and servers. (CVE-2024-22020)

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders. (CVE-2024-28863)

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.

Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a read-only file descriptor to change the owner and permissions of a file.
(CVE-2024-36137)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update nodejs20 --releasever 2023.6.20241028' to update your system.

See Also

https://alas.aws.amazon.com/faqs.html

https://alas.aws.amazon.com/cve/html/CVE-2024-22018.html

https://alas.aws.amazon.com/cve/html/CVE-2024-22020.html

https://alas.aws.amazon.com/cve/html/CVE-2024-28863.html

https://alas.aws.amazon.com/cve/html/CVE-2024-36137.html

https://alas.aws.amazon.com/AL2023/ALAS-2024-749.html

Plugin Details

Severity: Medium

ID: 210001

File Name: al2023_ALAS2023-2024-749.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/31/2024

Updated: 10/31/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-22020

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:nodejs20, p-cpe:/a:amazon:linux:nodejs20-debuginfo, p-cpe:/a:amazon:linux:nodejs20-debugsource, p-cpe:/a:amazon:linux:nodejs20-devel, p-cpe:/a:amazon:linux:nodejs20-docs, p-cpe:/a:amazon:linux:nodejs20-full-i18n, p-cpe:/a:amazon:linux:nodejs20-libs, p-cpe:/a:amazon:linux:nodejs20-libs-debuginfo, p-cpe:/a:amazon:linux:nodejs20-npm, p-cpe:/a:amazon:linux:v8-11.3-devel

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/24/2024

Vulnerability Publication Date: 3/21/2024

Reference Information

CVE: CVE-2024-22018, CVE-2024-22020, CVE-2024-28863, CVE-2024-36137