Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control

Summary

Node.js is vulnerable to remote attacker to execute arbitrary commands. These vulnerabilities affect IBM Spectrum Control.

Vulnerability Details

CVEID:CVE-2024-36138
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by the incomplete fix of CVE-2024-27980 which was the improper handling of batch files in child_process.spawn / child_process.spawnSync. By sending a specially crafted command line argument, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297432 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2024-22020
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary code on the system. By embedding non-network imports in data URLs, an attacker could exploit this vulnerability to bypass network import restrictions and execute arbitrary code on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297433 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Release| First Fixing
VRM Level| Link to Fix
—|—|—
5.4| 5.4.12.1| <https://www.ibm.com/support/pages/latest-downloads-ibm-spectrum-control&gt;

Workarounds and Mitigations

None