Bug 2270693 (CVE-2024-27980)
| Summary: | CVE-2024-27980 Node.js: Fail to Escape Arguments Properly in Microsoft Windows | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Zack Miele <zmiele> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Node.js 21.7.3, Node.js 20.12.2, Node.js 18.20.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A command injection flaw was found in Node.js exclusive to Windows environments. This flaw allows an attacker to perform command injection via the args parameter of child_process.spawn without the shell option enabled on Windows. This behavior is caused by cmd.exe when executing batch files, which has complicated parsing rules for arguments that were not able to be safely escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-04-15 14:21:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2265582 | ||
|
Description
Zack Miele
2024-03-21 13:13:21 UTC
|