Bug 1222665 (CVE-2024-27980) - VUL-0: CVE-2024-27980: nodejs16,nodejs18,nodejs20: Command injection via args parameter of child_process.spawn without shell option enabled on Windows
Summary: VUL-0: CVE-2024-27980: nodejs16,nodejs18,nodejs20: Command injection via args...
Status: RESOLVED INVALID
Alias: CVE-2024-27980
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Adam Majer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/401286/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-11 08:39 UTC by SMASH SMASH
Modified: 2024-07-17 08:30 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-11 08:39:00 UTC 
From: Jan Schaumann <jschauma () netmeister org>
Date: Wed, 10 Apr 2024 13:36:20 -0400





Rafael Gonzaga <work () rafaelgss dev> wrote:
 


Trimmed 'links -dump' output:


   Wednesday, April 10, 2024 Security Releases

Security releases available

   Updates are now available for the 18.x, 20.x, 21.x Node.js release lines
   for the following issues.

Command injection via args parameter of child_process.spawn without shell option
enabled on Windows (CVE-2024-27980) - (HIGH)

   Due to the improper handling of batch files in child_process.spawn /
   child_process.spawnSync, a malicious command line argument can inject
   arbitrary commands and achieve code execution even if the shell option is
   not enabled.

   Impact:

     * This vulnerability affects all users in active release lines: 18.x,
       20.x, 21.x

   Thank you, to ryotak for reporting this vulnerability and thank you Ben
   Noordhuis for fixing it.


---

Sending these details could be automated from a simple
procmail filter, if desired.

-Jan

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27980
https://seclists.org/oss-sec/2024/q2/79
Comment 1 Robert Frohl 2024-04-11 08:45:27 UTC 
for windows only, closing
Comment 3 Maintenance Automation 2024-07-16 08:30:01 UTC 
SUSE-SU-2024:2496-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34774](https://smelt.suse.de/incident/34774/)
Sources used:
Web and Scripting Module 12 (src):
 nodejs18-18.20.4-8.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Maintenance Automation 2024-07-17 08:30:06 UTC 
SUSE-SU-2024:2542-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222665, 1227554, 1227560
CVE References: CVE-2024-22020, CVE-2024-27980, CVE-2024-36138
Maintenance Incident: [SUSE:Maintenance:34773](https://smelt.suse.de/incident/34773/)
Sources used:
openSUSE Leap 15.4 (src):
 nodejs18-18.20.4-150400.9.24.2
openSUSE Leap 15.5 (src):
 nodejs18-18.20.4-150400.9.24.2
Web and Scripting Module 15-SP5 (src):
 nodejs18-18.20.4-150400.9.24.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.