Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0291 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2024-22020:
    A security flaw in Node.js  allows a bypass of network import restrictions.
    By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system     security.
    Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
    Exploiting this flaw can violate network import security, posing a risk to developers and servers.

    CVE-2024-36138:
    Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all     possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line     argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

    CVE-2024-28863:
    node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders     created in the folder creation process. An attacker who generates a large number of sub-folders can     consume memory on the system running node-tar and even crash the Node.js client within few seconds of     running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing     extraction in excessively deep sub-folders.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Java installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2024 CPU advisory.

  - Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Node (Node.js)). Supported     versions that are affected are Oracle GraalVM for JDK: 17.0.12, 21.0.4 and 23. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM     for JDK. Successful attacks of this vulnerability can result in takeover of Oracle GraalVM for JDK. (CVE-2024-36138)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:
    JavaFX (WebKitGTK)). Supported versions that are affected are Oracle Java SE: 8u421; Oracle GraalVM     Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with     network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful     attacks require human interaction from a person other than the attacker. Successful attacks of this     vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM Enterprise Edition. (CVE-2023-42950)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component:
    JavaFX (libxml2)). Supported versions that are affected are Oracle Java SE: 8u421; Oracle GraalVM Enterprise     Edition: 20.3.15 and 21.3.11. Easily exploitable vulnerability allows unauthenticated attacker with network     access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful     attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. (CVE-2024-25062)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the nodejs package has been released.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2574-1 advisory.

    Update to 20.15.1:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)
    - CVE-2024-22018: Fixed fs.lstat bypasses permission model (bsc#1227562)
    - CVE-2024-36137: Fixed fs.fchown/fchmod bypasses permission model (bsc#1227561)
    - CVE-2024-37372: Fixed Permission model improperly processes UNC paths (bsc#1227563)

    Changes in 20.15.0:

    - test_runner: support test plans
    - inspector: introduce the --inspect-wait flag
    - zlib: expose zlib.crc32()
    - cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

    Changes in 20.14.0

    - src,permission: throw async errors on async APIs
    - test_runner: support forced exit

    Changes in 20.13.1:

    - buffer: improve base64 and base64url performance
    - crypto: deprecate implicitly shortened GCM tags
    - events,doc: mark CustomEvent as stable
    - fs: add stacktrace to fs/promises
    - report: add --report-exclude-network option
    - src: add uv_get_available_memory to report and process
    - stream: support typed arrays
    - util: support array of formats in util.styleText
    - v8: implement v8.queryObjects() for memory leak regression testing
    - watch: mark as stable

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2543-1 advisory.

    Update to 20.15.1:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)
    - CVE-2024-22018: Fixed fs.lstat bypasses permission model (bsc#1227562)
    - CVE-2024-36137: Fixed fs.fchown/fchmod bypasses permission model (bsc#1227561)
    - CVE-2024-37372: Fixed Permission model improperly processes UNC paths (bsc#1227563)

    Changes in 20.15.0:

    - test_runner: support test plans
    - inspector: introduce the --inspect-wait flag
    - zlib: expose zlib.crc32()
    - cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

    Changes in 20.14.0

    - src,permission: throw async errors on async APIs
    - test_runner: support forced exit

    Changes in 20.13.1:

    - buffer: improve base64 and base64url performance
    - crypto: deprecate implicitly shortened GCM tags
    - events,doc: mark CustomEvent as stable
    - fs: add stacktrace to fs/promises
    - report: add --report-exclude-network option
    - src: add uv_get_available_memory to report and process
    - stream: support typed arrays
    - util: support array of formats in util.styleText
    - v8: implement v8.queryObjects() for memory leak regression testing
    - watch: mark as stable

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2542-1 advisory.

    Update to 18.20.4:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

    Changes in 18.20.3:

    - This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly     closing idle connections.
      deps:
      - acorn updated to 8.11.3.
      - acorn-walk updated to 8.3.2.
      - ada updated to 2.7.8.
      - c-ares updated to 1.28.1.
      - corepack updated to 0.28.0.
      - nghttp2 updated to 1.61.0.
      - ngtcp2 updated to 1.3.0.
      - npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections     npm/cli#7324.
      - simdutf updated to 5.2.4.

    Changes in 18.20.2:

    - CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option     enabled on Windows (bsc#1222665)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2496-1 advisory.

    Update to 18.20.4:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

    Changes in 18.20.3:

    - This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly     closing idle connections.
      deps:
      - acorn updated to 8.11.3.
      - acorn-walk updated to 8.3.2.
      - ada updated to 2.7.8.
      - c-ares updated to 1.28.1.
      - corepack updated to 0.28.0.
      - nghttp2 updated to 1.61.0.
      - ngtcp2 updated to 1.3.0.
      - npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections     npm/cli#7324.
      - simdutf updated to 5.2.4.

    Changes in 18.20.2:

    - CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option     enabled on Windows (bsc#1222665)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
238753	TencentOS Server 4: nodejs (TSSA-2024:0291)	Nessus	Tencent Local Security Checks	high
209282	Oracle Java SE Multiple Vulnerabilities (October 2024 CPU)	Nessus	Misc.	high
204264	Photon OS 4.0: Nodejs PHSA-2024-4.0-0653	Nessus	PhotonOS Local Security Checks	high
204232	Photon OS 5.0: Nodejs PHSA-2024-5.0-0318	Nessus	PhotonOS Local Security Checks	high
203010	SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:2574-1)	Nessus	SuSE Local Security Checks	high
202587	SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:2543-1)	Nessus	SuSE Local Security Checks	high
202586	SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2024:2542-1)	Nessus	SuSE Local Security Checks	high
202562	SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2024:2496-1)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2024-36138

high

Tenable Plugins

high

high

high

high

high

high

high

high