Search for vulnerabilities
Vulnerability details: VCID-ctqm-mmue-aaaf
Vulnerability ID VCID-ctqm-mmue-aaaf
Aliases CVE-2024-21892
Summary On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
Status Published
Exploitability 0.5
Weighted Severity 7.3
Risk 3.6
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-94 Improper Control of Generation of Code ('Code Injection')
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21892.json
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00104 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00121 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00131 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00131 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00137 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
epss 0.00213 https://api.first.org/data/v1/epss?cve=CVE-2024-21892
cvssv3.1 7.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.8 https://nvd.nist.gov/vuln/detail/CVE-2024-21892
cvssv3.1 3.9 http://www.openwall.com/lists/oss-security/2024/03/11/1
generic_textual LOW http://www.openwall.com/lists/oss-security/2024/03/11/1
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21892.json
https://api.first.org/data/v1/epss?cve=CVE-2024-21892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21892
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/2237545
https://security.netapp.com/advisory/ntap-20240322-0003/
http://www.openwall.com/lists/oss-security/2024/03/11/1
1064055 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064055
2264582 https://bugzilla.redhat.com/show_bug.cgi?id=2264582
CVE-2024-21892 https://nvd.nist.gov/vuln/detail/CVE-2024-21892
GLSA-202505-11 https://security.gentoo.org/glsa/202505-11
RHSA-2024:1503 https://access.redhat.com/errata/RHSA-2024:1503
RHSA-2024:1510 https://access.redhat.com/errata/RHSA-2024:1510
RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687
RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688
RHSA-2024:1880 https://access.redhat.com/errata/RHSA-2024:1880
RHSA-2024:1932 https://access.redhat.com/errata/RHSA-2024:1932
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-21892.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-21892
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L Found at http://www.openwall.com/lists/oss-security/2024/03/11/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.16666
EPSS Score 0.00045
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-02-16T00:15:36.972972+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 34.0.0rc2