Node20 Externals Version needs upgrade [CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019] #3258
Description
Describe the bug
Security scanning of the default installation method results in CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019 being tripped based on the current version of Node JS 20 set in externals.
To Reproduce
Steps to reproduce the behavior:
Take latest installation from releases including runtimes and externals. Example: actions-runner-linux-x64-2.309.0.tar.gz
Uncompress
Run security scan (e.g. Wiz)
Expected behavior
Clean security report
Runner Version and Platform
v2.316.0
OS of the machine running the runner?
Linux
What's not working?
CPE vulnerabilities:
Name: cpe:2.3:a:nodejs:node.js, Version: 20.8.1, Path: /home/runner/externals/node20/bin/node
CVE-2024-21892, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21892
Fixed version: 20.11.1
CVE-2024-21896, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21896
Fixed version: 20.11.1
CVE-2024-22017, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-22017
Fixed version: 20.11.1
CVE-2024-22019, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-22019
Fixed version: 20.11.1
CVE-2023-46809, Severity: MEDIUM, Source:
Fixed version: 20.11.1
CVE-2024-21890, Severity: MEDIUM, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21890
Fixed version: 20.11.1
CVE-2024-21891, Severity: MEDIUM, Source: https://nvd.nist.gov/vuln/detail/CVE-2024-21891
Fixed version: 20.11.1