Alpine: multiple nodejs packages: security update to 20.15.1-r0

medium Tenable Cloud Security Plugin ID 424245

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A vulnerability has been identified in Node.js, affecting users of the experimental permission model when
the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to
restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files
that they do not have explicit read access to. This vulnerability affects all users using the experimental
permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the
permission model is an experimental feature of Node.js. (CVE-2024-22018)

- A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network
imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on
various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting
this flaw can violate network import security, posing a risk to developers and servers. (CVE-2024-22020)

- A vulnerability has been identified in Node.js, affecting users of the experimental permission model when
the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however,
operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and
permissions of a file. (CVE-2024-36137)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-22018

https://security.alpinelinux.org/vuln/CVE-2024-22020

https://security.alpinelinux.org/vuln/CVE-2024-36137

Plugin Details

Severity: Medium

ID: 424245

Version: Revision 1.6

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

Percentile: 57.08

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-22020

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/8/2024

Reference Information

CVE: CVE-2024-22018, CVE-2024-22020, CVE-2024-36137