ALT-PU-2024-7199-3
Closed vulnerabilities
Published: 2024-07-31
Modified: 2026-03-04
Modified: 2026-03-04
BDU:2024-05853
Уязвимость функций child_process.spawn() и child_process.spawnSync() программной платформы Node.js операционных систем Windows, позволяющая нарушителю обойти ограничения безопасности и выполнить произвольные команды
Severity: HIGH (8.8)Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: CRITICAL (10.0)Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
References:
Published: 2025-01-09
Modified: 2026-04-15
Modified: 2026-04-15
CVE-2024-27980
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Severity: HIGH (8.1)Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://www.openwall.com/lists/oss-security/2024/04/10/15
- http://www.openwall.com/lists/oss-security/2024/07/11/6
- http://www.openwall.com/lists/oss-security/2024/07/19/3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5MZN6PFXHTCCUENAKZXTGWPKUAHI6E2W/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUWBYDVCUSCX7YWTBX75LADMCVYFBGKU/