摘要:
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
安全等级: Low
公告ID: KylinSec-SA-2024-3721
发布日期: 2024年9月14日
关联CVE: CVE-2024-36138
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-36138 | KY3.4-5A | nodejs | Unaffected |
| CVE-2024-36138 | KY3.5.2 | nodejs | Unaffected |
| CVE-2024-36138 | V6 | nodejs | Unaffected |
