CVE-2023-21892: 
Oracle Business Intelligence Enterprise Edition (OBIEE) vulnerability analysis and mitigation

A vulnerability in Node.js allows code injection and privilege escalation through Linux capabilities, identified as CVE-2024-21892. The vulnerability exists due to a bug in the implementation of the CAPNETBIND_SERVICE exception, where Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges (Node.js Blog).

The vulnerability affects Node.js versions in the 18.x, 20.x, and 21.x release lines. On Linux systems, Node.js is designed to ignore certain environment variables if they may have been set by an unprivileged user while the process is running with elevated privileges. The only exception to this rule is supposed to be for CAPNETBIND_SERVICE. However, due to an implementation flaw, this exception is incorrectly applied when other capabilities are set, creating a privilege escalation vector (Node.js Blog).

The vulnerability is rated as High severity. When successfully exploited, it allows unprivileged users to inject code that inherits the process's elevated privileges, potentially leading to privilege escalation on Linux systems. This affects all users running Node.js versions 18.x, 20.x, and 21.x on Linux platforms (Node.js Blog).

The vulnerability has been patched in the security releases for Node.js versions 18.x, 20.x, and 21.x. Users are strongly advised to update to the latest security releases of their respective Node.js version lines to address this vulnerability. The fix was implemented by Tobias Nießen, who also reported the vulnerability (Node.js Blog).