CVE-2024-22020

{"id": "CVE-2024-22020", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "support@hackerone.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 1.0}]}, "published": "2024-07-09T02:15:09.973", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6", "source": "support@hackerone.com"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3", "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/2092749", "source": "support@hackerone.com"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/2092749", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20241122-0006/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "A security flaw in Node.js allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers."}, {"lang": "es", "value": "Un fallo de seguridad en Node.js permite eludir las restricciones de importaci\u00f3n de la red. Al incorporar importaciones fuera de la red en las URL de datos, un atacante puede ejecutar c\u00f3digo arbitrario, comprometiendo la seguridad del sistema. Verificada en varias plataformas, la vulnerabilidad se mitiga al prohibir las URL de datos en las importaciones de red. La explotaci\u00f3n de este fallo puede violar la seguridad de importaci\u00f3n de la red, lo que representa un riesgo para los desarrolladores y servidores."}], "lastModified": "2025-03-14T19:15:44.700", "sourceIdentifier": "support@hackerone.com"}