{}

{}

{}

{"bugzilla": {"description": "Node.js: Fail to Escape Arguments Properly in Microsoft Windows", "id": "2270693", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270693"}, "csaw": false, "cwe": "CWE-78", "details": ["A command injection flaw was found in Node.js exclusive to Windows environments. This flaw allows an attacker to perform command injection via the args parameter of child_process.spawn without the shell option enabled on Windows. This behavior is caused by cmd.exe when executing batch files, which has complicated parsing rules for arguments that were not able to be safely escaped. It is possible to inject commands if an attacker can control part of the command arguments of the batch file."], "name": "CVE-2024-27980", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:20/nodejs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-27980\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-27980\nhttps://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"], "statement": "This vulnerability exclusively applies to applications running on Windows.", "upstream_fix": "Node.js 21.7.3, Node.js 20.12.2, Node.js 18.20.2"}