{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37372", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2024-06-07T01:04:06.869Z", "datePublished": "2025-01-09T00:33:47.662Z", "dateUpdated": "2025-01-09T21:38:02.105Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The Permission Model assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases."}], "affected": [{"defaultStatus": "unaffected", "vendor": "nodejs", "product": "node", "versions": [{"version": "20.15.0", "status": "affected", "lessThanOrEqual": "20.15.0", "versionType": "semver"}, {"version": "22.4.0", "status": "affected", "lessThanOrEqual": "22.4.0", "versionType": "semver"}]}], "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 3.6, "baseSeverity": "LOW"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-01-09T00:33:47.662Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-09T21:37:14.611469Z", "id": "CVE-2024-37372", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T21:38:02.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37372", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-09T21:37:14.611469Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T21:37:56.136Z"}}], "cna": {"metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 3.6, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "nodejs", "product": "node", "versions": [{"status": "affected", "version": "20.15.0", "versionType": "semver", "lessThanOrEqual": "20.15.0"}, {"status": "affected", "version": "22.4.0", "versionType": "semver", "lessThanOrEqual": "22.4.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/07/11/6"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/19/3"}], "descriptions": [{"lang": "en", "value": "The Permission Model assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2025-01-09T00:33:47.662Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37372", "state": "PUBLISHED", "dateUpdated": "2025-01-09T21:38:02.105Z", "dateReserved": "2024-06-07T01:04:06.869Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2025-01-09T00:33:47.662Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Permission Model assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases."}, {"lang": "es", "value": "El modelo de permisos supone que cualquier ruta que comience con dos barras invertidas \\ tiene un prefijo de cuatro caracteres que se puede ignorar, lo que no siempre es cierto. Este error sutil conduce a casos extremos vulnerables."}], "id": "CVE-2024-37372", "lastModified": "2025-01-09T22:15:28.247", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.0, "impactScore": 2.5, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2025-01-09T01:15:08.500", "references": [{"source": "support@hackerone.com", "url": "http://www.openwall.com/lists/oss-security/2024/07/11/6"}, {"source": "support@hackerone.com", "url": "http://www.openwall.com/lists/oss-security/2024/07/19/3"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "nodejs: Permission model improperly processes UNC paths", "id": "2336663", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336663"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-754", "details": ["The Permission Model assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.", "A flaw was found in Node.js. The Permission Model assumes that any UNC path starting with two backslashes `\\\\` has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases."], "name": "CVE-2024-37372", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2025-01-09T00:33:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-37372\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-37372\nhttp://www.openwall.com/lists/oss-security/2024/07/11/6\nhttp://www.openwall.com/lists/oss-security/2024/07/19/3"], "statement": "This vulnerability affects Windows users of the Node.js Permission Model in version v22.x and v20.x. No Red Hat products are affected.", "threat_severity": "Low"}