Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
NA

CVE-2024-27980

Vulnerability Summary

Description<!---->A command injection flaw was found in Node.js exclusive to Windows environments. This flaw allows an malicious user to perform command injection via the args parameter of child_process.spawn without the shell option enabled on Windows. This behavior is caused by cmd.exe when executing batch files, which has complicated parsing rules for arguments that were not able to be safely escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file.A command injection flaw was found in Node.js exclusive to Windows environments. This flaw allows an malicious user to perform command injection via the args parameter of child_process.spawn without the shell option enabled on Windows. This behavior is caused by cmd.exe when executing batch files, which has complicated parsing rules for arguments that were not able to be safely escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file.

Vulnerability Trend

Vendor Advisories

Red Hat:
Description<!---->A command injection flaw was found in Nodejs exclusive to Windows environments This flaw allows an attacker to perform command injection via the args parameter of child_processspawn without the shell option enabled on Windows This behavior is caused by cmdexe when executing batch files, which has complicated parsing rules for ...

Mailing Lists

Full Disclosure: Fwd: Node.js security update for all active relesae lines, April 9 2024
---------- Mensagem encaminhada --------- De: Rafael Gonzaga &lt;work () rafaelgss dev&gt; Data: quinta-feira, 4 de abril de 2024 às 17:22:26 UTC-3 Assunto: Nodejs security update for all active relesae lines, April 9 2024 Para: nodejs-sec &lt;nodejs-sec () googlegroups com&gt; The Nodejs project will release new versions of all supported rele ...
Full Disclosure: Fwd: Node.js security update for all active relesae lines, April 9 2024
---------- Mensagem encaminhada --------- De: Rafael Gonzaga &lt;work () rafaelgss dev&gt; Data: quarta-feira, 10 de abril de 2024 às 14:03:54 UTC-3 Assunto: Re: Nodejs security update for all active relesae lines, April 9 2024 Para: nodejs-sec &lt;nodejs-sec () googlegroups com&gt; The planned security releases are now available You can read ...
Full Disclosure: NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980)
Rafael Gonzaga &lt;work () rafaelgss dev&gt; wrote: Trimmed 'links -dump' output: Wednesday, April 10, 2024 Security Releases Security releases available Updates are now available for the 18x, 20x, 21x Nodejs release lines for the following issues Command injection via args parameter of child_processspawn without shell optio ...

References

https://access.redhat.com/security/cve/cve-2024-27980https://seclists.org/oss-sec/2024/q2/34
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-28995CVE-2024-36680CVE-2024-35537unauthorizedCVE-2024-21518CVE-2024-37673cross-site scriptingSSRFCVE-2024-6241
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook