CVE-2024-36138

Published Sep 7, 2024

Last updated 2 months ago

Overview

Description: Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
Source: support@hackerone.com
NVD status: Awaiting Analysis

Hype score: Not currently trending

KUSANAGI 9モジュール更新情報 - 超高速CMS実行環境 KUSANAGI https://t.co/lwDlsuIKsj nodejs18.20.4-1に対応しました。この更新には脆弱性(CVE-2024-36138, CVE-2024-27980, CVE-2024-22020)への対応が含まれます。 #KUSANAGI #WEXAL
@yoshihiro_oh
Oct 23, 2024 8:38 AM
113 Impressions
0 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes

Risk scores

CVSS 3.0

Type: Secondary
Base score: 8.1
Impact score: 5.9
Exploitability score: 2.2
Vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-77

References