CVE-2024-36138

描述

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

受影響套件(3)

• Alpine/nodejsfrom 0, < 0
• Bitnami/nodefrom 0, < 18.20.4, >= 19.0.0, < 20.15.1, >= 21.0.0, < 22.4.1
• Bitnami/node-minfrom 0, < 18.20.5, >= 19.0.0, < 20.18.1, >= 21.0.0, < 22.12.0

CVSS 分數

參考連結(5)

• ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2024-36138
• WEBhttps://nodejs.org/en/blog/vulnerability/july-2024-security-releases
• WEBhttps://nvd.nist.gov/vuln/detail/CVE-2024-36138
• WEBhttps://security.netapp.com/advisory/ntap-20241108-0010/
• WEBhttps://www.oracle.com/security-alerts/cpuoct2024.html