Описание
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | Only affects Windows |
| esm-apps/bionic | not-affected | Only affects Windows |
| esm-apps/focal | not-affected | Only affects Windows |
| esm-apps/jammy | not-affected | Only affects Windows |
| esm-apps/noble | not-affected | Only affects Windows |
| esm-apps/xenial | not-affected | Only affects Windows |
| esm-infra-legacy/trusty | not-affected | Only affects Windows |
| focal | not-affected | Only affects Windows |
| jammy | not-affected | Only affects Windows |
| mantic | ignored | end of life, was needs-triage |
Показывать по
Ссылки на источники
EPSS
8.1 High
CVSS3
Связанные уязвимости
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Bypass incomplete fix of CVE-2024-27980, that arises from improper han ...
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Уязвимость программной платформы Node.js, связанная с ошибками при обработке входных данных, позволяющая нарушителю выполнять произвольные команды
EPSS
8.1 High
CVSS3