Bug 1227560 (CVE-2024-36138)

Summary: VUL-0: CVE-2024-36138: nodejs: bypass incomplete fix of CVE-2024-27980
Product: [Novell Products] SUSE Security Incidents Reporter: Andrea Mattiazzo <andrea.mattiazzo>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: amajer
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andrea Mattiazzo 2024-07-09 09:55:25 UTC 
The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

This vulnerability affects all users of child_process.spawn and child_process.spawnSync on Windows in all active release lines.

Impact:

This vulnerability affects all Windows users in active release lines: 22.x, 20.x, 18.x
Comment 1 Andrea Mattiazzo 2024-07-09 09:56:17 UTC 
Closing since it affects only windows users.
Comment 3 Maintenance Automation 2024-07-16 08:30:01 UTC 
SUSE-SU-2024:2496-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34774](https://smelt.suse.de/incident/34774/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.4-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-07-17 08:30:02 UTC 
SUSE-SU-2024:2543-1: An update that solves six vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1227554, 1227560, 1227561, 1227562, 1227563
CVE References: CVE-2024-22018, CVE-2024-22020, CVE-2024-27980, CVE-2024-36137, CVE-2024-36138, CVE-2024-37372
Maintenance Incident: [SUSE:Maintenance:34775](https://smelt.suse.de/incident/34775/)
Sources used:
openSUSE Leap 15.5 (src):
 nodejs20-20.15.1-150500.11.12.2
Web and Scripting Module 15-SP5 (src):
 nodejs20-20.15.1-150500.11.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Maintenance Automation 2024-07-17 08:30:06 UTC 
SUSE-SU-2024:2542-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34773](https://smelt.suse.de/incident/34773/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.4-150400.9.24.2
openSUSE Leap 15.5 (src):
 nodejs18-18.20.4-150400.9.24.2
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.4-150400.9.24.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.