{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-09T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: Bypass network import restriction via data URL",
    "id" : "2296417",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2296417"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H",
    "status" : "verified"
  },
  "details" : [ "A security flaw in Node.js  allows a bypass of network import restrictions.\nBy embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.\nVerified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.\nExploiting this flaw can violate network import security, posing a risk to developers and servers.", "A flaw was found in the Node.js package. By embedding non-network imports in data URLs, this flaw allows an attacker to execute arbitrary code, compromising system security." ],
  "statement" : "This vulnerability is categorized as moderate severity rather than high due to its specific conditions for exploitation and impact scope. While the flaw permits bypassing network import restrictions via data URLs to execute arbitrary code, its exploitation is contingent on the attacker’s ability to inject and execute code within a controlled environment. The impact is constrained to scenarios where the vulnerable application processes data URLs and lacks robust validation mechanisms. Additionally, this issue requires the attacker to exploit specific code paths and permissions, which limits its widespread applicability.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-26T00:00:00Z",
    "advisory" : "RHSA-2024:5814",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:20-8100020240808073736.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-03T00:00:00Z",
    "advisory" : "RHSA-2024:6148",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:18-8100020240807161023.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-26T00:00:00Z",
    "advisory" : "RHSA-2024:5815",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:20-9040020240807145403.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-09-03T00:00:00Z",
    "advisory" : "RHSA-2024:6147",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:18-9040020240807131341.rhel9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Will not fix",
    "package_name" : "nodejs20",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-22020\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-22020\nhttps://hackerone.com/reports/2092749" ],
  "name" : "CVE-2024-22020",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}