Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Mon, 09 Sep 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Nodejs
Nodejs nodejs |
|
Weaknesses | CWE-77 | |
CPEs | cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:* | |
Vendors & Products |
Nodejs
Nodejs nodejs |
|
Metrics |
ssvc
|
Sat, 07 Sep 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. | |
References |
| |
Metrics |
cvssV3_0
|
MITRE
Status: PUBLISHED
Assigner: hackerone
Published: 2024-09-07T16:00:36.011Z
Updated: 2024-11-08T15:02:49.727Z
Reserved: 2024-05-21T01:04:07.208Z
Link: CVE-2024-36138
Vulnrichment
Updated: 2024-11-08T15:02:49.727Z
NVD
Status : Awaiting Analysis
Published: 2024-09-07T16:15:02.620
Modified: 2024-11-21T09:21:41.500
Link: CVE-2024-36138
Redhat
No data.