PatchSiren cyber security CVE debrief
CVE-2024-21890 NodeJS CVE debrief
CVE-2024-21890 documents a documentation clarity issue in the Node.js Permission Model that could lead to unintended filesystem access. The vulnerability stems from misleading documentation regarding wildcard usage in file path permissions. Specifically, the documentation does not clarify that wildcards should only be used as the last character of a file path. When users specify patterns like `--allow-fs-read=/home/node/.ssh/*.pub`, the system interprets the wildcard to match everything after `.ssh/` rather than only files ending with `.pub`, effectively ignoring the intended file extension restriction. This behavior affects all users of the experimental permission model in Node.js 20 and Node.js 21. The issue is particularly relevant to Siemens SINEC INS deployments that utilize affected Node.js versions. The vulnerability was published on November 12, 2024, with a CVSS 3.1 score of 5.3 (MEDIUM severity). Siemens has released a vendor fix recommending update to V1.0 SP2 Update 3 or later version.
- Vendor
- NodeJS
- Product
- SINEC INS
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations running Siemens SINEC INS with Node.js-based components, security teams managing Node.js deployments with experimental permission models, system administrators configuring filesystem access controls via Node.js permissions, and compliance teams auditing permission configurations for principle of least privilege adherence.
Technical summary
The Node.js experimental Permission Model contains a documentation gap regarding wildcard usage in filesystem permission paths. When users specify wildcards before the final path segment (e.g., `*.pub`), the permission system treats the wildcard as matching any characters from that position forward, rather than matching only files with the specified extension. This results in broader filesystem access than intended. The vulnerability is documentation-related but has security impact through misconfiguration. Affected versions include Node.js 20 and Node.js 21. Siemens SINEC INS incorporates affected Node.js components and has issued patch V1.0 SP2 Update 3 to address the issue.
Defensive priority
medium
Recommended defensive actions
- Review Node.js permission model configurations in Siemens SINEC INS deployments to identify any wildcard patterns that may grant broader access than intended
- Update Siemens SINEC INS to V1.0 SP2 Update 3 or later version as specified in vendor remediation guidance
- Audit filesystem permission grants to ensure wildcards are only used as the final character in path specifications
- Validate that existing `--allow-fs-read` and similar permission flags do not contain mid-path wildcards that could expand access scope
- Monitor Node.js security advisories for updates to the experimental permission model documentation and behavior
- Apply principle of least privilege when configuring Node.js permissions, explicitly enumerating allowed paths rather than relying on wildcard patterns where feasible
Evidence notes
The vulnerability description is derived from the CISA CSAF advisory ICSA-24-319-08, which references Siemens security advisory SSA-915275. The affected product is Siemens SINEC INS. The issue affects Node.js 20 and Node.js 21 experimental permission model. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Official resources
-
CVE-2024-21890 CVE record
CVE.org
-
CVE-2024-21890 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12