{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24828", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-31T16:28:17.946Z", "datePublished": "2024-02-09T22:21:04.933Z", "dateUpdated": "2024-08-22T13:25:19.053Z"}, "containers": {"cna": {"title": "Local Privilege Escalation in execuatables bundled by pkg", "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "lang": "en", "description": "CWE-276: Incorrect Default Permissions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54"}, {"name": "https://nodejs.org/api/single-executable-applications.html", "tags": ["x_refsource_MISC"], "url": "https://nodejs.org/api/single-executable-applications.html"}], "affected": [{"vendor": "vercel", "product": "pkg", "versions": [{"version": "<= 5.8.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-09T22:21:04.933Z"}, "descriptions": [{"lang": "en", "value": "pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security."}], "source": {"advisory": "GHSA-22r3-9w55-cj54", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.933Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54"}, {"name": "https://nodejs.org/api/single-executable-applications.html", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodejs.org/api/single-executable-applications.html"}]}, {"affected": [{"vendor": "vercel", "product": "pkg", "cpes": ["cpe:2.3:a:vercel:pkg:-:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.8.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T13:22:41.012365Z", "id": "CVE-2024-24828", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T13:25:19.053Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54", "name": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://nodejs.org/api/single-executable-applications.html", "name": "https://nodejs.org/api/single-executable-applications.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.933Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-22T13:22:41.012365Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vercel:pkg:-:*:*:*:*:node.js:*:*"], "vendor": "vercel", "product": "pkg", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.8.1"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T13:25:15.425Z"}}], "cna": {"title": "Local Privilege Escalation in execuatables bundled by pkg", "source": {"advisory": "GHSA-22r3-9w55-cj54", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vercel", "product": "pkg", "versions": [{"status": "affected", "version": "<= 5.8.1"}]}], "references": [{"url": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54", "name": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://nodejs.org/api/single-executable-applications.html", "name": "https://nodejs.org/api/single-executable-applications.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276: Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-09T22:21:04.933Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24828", "state": "PUBLISHED", "dateUpdated": "2024-08-22T13:25:19.053Z", "dateReserved": "2024-01-31T16:28:17.946Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-09T22:21:04.933Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:pkg:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A83852BC-5291-4916-A376-52D0CB5766AE", "versionEndIncluding": "5.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security."}, {"lang": "es", "value": "pkg es una herramienta de dise\u00f1o para agrupar proyectos de Node.js en archivos ejecutables. Cualquier paquete de c\u00f3digo nativo creado por `pkg` se escribe en un directorio codificado. En sistemas Unix, este es `/tmp/pkg/*` que es un directorio compartido para todos los usuarios en el mismo sistema local. Los nombres de los paquetes dentro de este directorio no son \u00fanicos, son predecibles. Un atacante que tiene acceso al mismo sistema local tiene la capacidad de reemplazar los ejecutables genuinos en el directorio compartido con ejecutables maliciosos del mismo nombre. Luego, un usuario puede ejecutar el ejecutable malicioso sin darse cuenta de que ha sido modificado. Este paquete est\u00e1 en desuso. Por lo tanto, no se proporcionar\u00e1 ning\u00fan parche para esta vulnerabilidad. Para verificar si su ejecutable compilado por pkg depende del c\u00f3digo nativo y es vulnerable, ejecute el ejecutable y verifique si se cre\u00f3 `/tmp/pkg/`. Los usuarios deben hacer la transici\u00f3n a alternativas mantenidas activamente. Recomendamos investigar la compatibilidad de Node.js 21 con aplicaciones ejecutables \u00fanicas. Dada la decisi\u00f3n de dejar de usar el paquete pkg, nuestro equipo no ha proporcionado soluciones ni soluciones oficiales. Los usuarios deben priorizar la migraci\u00f3n a otros paquetes que ofrezcan funciones similares con seguridad mejorada."}], "id": "CVE-2024-24828", "lastModified": "2024-02-16T13:43:33.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-09T23:15:09.837", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://nodejs.org/api/single-executable-applications.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "pkg: incorrect default permissions", "id": "2263749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263749"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-276", "details": ["pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21\u2019s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.", "An incorrect default permissions vulnerability was found in pkg. This issue allows an attacker who has access to the /tmp/pkg/ on the local system to replace the genuine executables in the shared directory with malicious executables of the same name."], "name": "CVE-2024-24828", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "pkg", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-core-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}], "public_date": "2024-02-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-24828\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-24828\nhttps://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54"], "threat_severity": "Moderate"}