Lucene search

K
alpinelinuxAlpine Linux Development TeamALPINE:CVE-2024-36138
HistorySep 07, 2024 - 4:15 p.m.

CVE-2024-36138

2024-09-0716:15:02
Alpine Linux Development Team
security.alpinelinux.org
9
cve-2024-36138
bypass
improper handling
batch files
windows
child process
code execution
shell option

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0

Percentile

9.5%

Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0

Percentile

9.5%