ГлавнаяУязвимости → CVE-2024-36138
8.1высокая

CVE-2024-36138

→ есть в БДУ: BDU:2024-05133 (на русском)
Описание (на английском; русское — в БДУ выше)

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

CVSS
Балл8.1 — высокая
ВекторCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://nodejs.org/en/blog/vulnerability/july-2024-security-releaseshttps://security.netapp.com/advisory/ntap-20241108-0010/