How severe is CVE-2024-21896?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.9 out of 10.

What type of vulnerability is CVE-2024-21896?

This is classified as CWE-27, which is a common weakness in software security.

CVE-2024-21896 - HIGH Severity | CVSS 7.9

Vulnerability Description

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Related Vulnerabilities

CVE-2021-35027

HIGH

CVSS:7.5(High)

A directory traversal vulnerability in the web server of the Zyxel VPN2S firmware version 1.12 could allow a remote attacker to gain access to sensitive information.

CWE-272021

CVE-2024-20348

HIGH

CVSS:7.5(High)

A vulnerability in the Out-of-Band (OOB) Plug and Play (PnP) feature of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to read arbitrary files. This vul...

CWE-272024

CVE-2024-24809

HIGH

CVSS:8.5(High)

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by defau...

CWE-272024

CVE-2023-20090

MEDIUM

CVSS:6.7(Medium)

A vulnerability in Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to improper access contr...

CWE-272023

CVE-2023-20127

MEDIUM

CVSS:6.5(Medium)

Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow a remote attacker to obtain privileged in...

CWE-272023

CVE-2023-20129

MEDIUM

CVSS:6.5(Medium)

CWE-272023