CVE-2024-27980

Sažetak

Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Reference

http://www.openwall.com/lists/oss-security/2024/04/10/15
http://www.openwall.com/lists/oss-security/2024/07/11/6
http://www.openwall.com/lists/oss-security/2024/07/19/3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5MZN6PFXHTCCUENAKZXTGWPKUAHI6E2W/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUWBYDVCUSCX7YWTBX75LADMCVYFBGKU/

CVSS

Base:	8.1
Impact:	5.9
Exploitability:	2.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

09-01-2025 - 01:15

Objavljeno

09-01-2025 - 01:15