Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Node (Node.js)). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.11, 21.0.3 and 22.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle GraalVM for JDK as well as unauthorized update, insert or delete access to some of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2574-1 advisory.

    Update to 20.15.1:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)
    - CVE-2024-22018: Fixed fs.lstat bypasses permission model (bsc#1227562)
    - CVE-2024-36137: Fixed fs.fchown/fchmod bypasses permission model (bsc#1227561)
    - CVE-2024-37372: Fixed Permission model improperly processes UNC paths (bsc#1227563)

    Changes in 20.15.0:

    - test_runner: support test plans
    - inspector: introduce the --inspect-wait flag
    - zlib: expose zlib.crc32()
    - cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

    Changes in 20.14.0

    - src,permission: throw async errors on async APIs
    - test_runner: support forced exit

    Changes in 20.13.1:

    - buffer: improve base64 and base64url performance
    - crypto: deprecate implicitly shortened GCM tags
    - events,doc: mark CustomEvent as stable
    - fs: add stacktrace to fs/promises
    - report: add --report-exclude-network option
    - src: add uv_get_available_memory to report and process
    - stream: support typed arrays
    - util: support array of formats in util.styleText
    - v8: implement v8.queryObjects() for memory leak regression testing
    - watch: mark as stable

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2543-1 advisory.

    Update to 20.15.1:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)
    - CVE-2024-22018: Fixed fs.lstat bypasses permission model (bsc#1227562)
    - CVE-2024-36137: Fixed fs.fchown/fchmod bypasses permission model (bsc#1227561)
    - CVE-2024-37372: Fixed Permission model improperly processes UNC paths (bsc#1227563)

    Changes in 20.15.0:

    - test_runner: support test plans
    - inspector: introduce the --inspect-wait flag
    - zlib: expose zlib.crc32()
    - cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

    Changes in 20.14.0

    - src,permission: throw async errors on async APIs
    - test_runner: support forced exit

    Changes in 20.13.1:

    - buffer: improve base64 and base64url performance
    - crypto: deprecate implicitly shortened GCM tags
    - events,doc: mark CustomEvent as stable
    - fs: add stacktrace to fs/promises
    - report: add --report-exclude-network option
    - src: add uv_get_available_memory to report and process
    - stream: support typed arrays
    - util: support array of formats in util.styleText
    - v8: implement v8.queryObjects() for memory leak regression testing
    - watch: mark as stable

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2542-1 advisory.

    Update to 18.20.4:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

    Changes in 18.20.3:

    - This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly     closing idle connections.
      deps:
      - acorn updated to 8.11.3.
      - acorn-walk updated to 8.3.2.
      - ada updated to 2.7.8.
      - c-ares updated to 1.28.1.
      - corepack updated to 0.28.0.
      - nghttp2 updated to 1.61.0.
      - ngtcp2 updated to 1.3.0.
      - npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections     npm/cli#7324.
      - simdutf updated to 5.2.4.

    Changes in 18.20.2:

    - CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option     enabled on Windows (bsc#1222665)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2496-1 advisory.

    Update to 18.20.4:

    - CVE-2024-36138: Fixed CVE-2024-27980 fix bypass (bsc#1227560)
    - CVE-2024-22020: Fixed a bypass of network import restriction via data URL (bsc#1227554)

    Changes in 18.20.3:

    - This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly     closing idle connections.
      deps:
      - acorn updated to 8.11.3.
      - acorn-walk updated to 8.3.2.
      - ada updated to 2.7.8.
      - c-ares updated to 1.28.1.
      - corepack updated to 0.28.0.
      - nghttp2 updated to 1.61.0.
      - ngtcp2 updated to 1.3.0.
      - npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections     npm/cli#7324.
      - simdutf updated to 5.2.4.

    Changes in 18.20.2:

    - CVE-2024-27980: Fixed command injection via args parameter of child_process.spawn without shell option     enabled on Windows (bsc#1222665)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Node.js installed on the remote host is prior to 18.20.4, 20.15.1, 22.4.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Monday, July 8, 2024 Security Releases advisory.

  - The CVE-2024-27980 was identified as an incomplete fix for the BatBadBut vulnerability. This vulnerability     arises from improper handling of batch files with all possible extensions on Windows via     child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary     commands and achieve code execution even if the shell option is not enabled. This vulnerability affects     all users of child_process.spawn and child_process.spawnSync on Windows in all active release lines.
    Impact: Thank you, to tianst for reporting this vulnerability and thank you RafaelGSS for fixing it.
    (CVE-2024-27980)

  - A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network     imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on     various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting     this flaw can violate network import security, posing a risk to developers and servers. Impact: Thank you,     to dittyroma for reporting this vulnerability and thank you RafaelGSS for fixing it. (CVE-2024-22020)

  - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when     the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however,     operations such as fs.fchown or fs.fchmod can use a read-only file descriptor to change the owner and     permissions of a file. This vulnerability affects all users using the experimental permission model in     Node.js 20 and Node.js 22. Please note that at the time this CVE was issued, the permission model is an     experimental feature of Node.js. Impact: Thank you, to 4xpl0r3r for reporting this vulnerability and thank     you RafaelGSS for fixing it. (CVE-2024-36137)

  - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when     the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to     restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files     that they do not have explicit read access to. This vulnerability affects all users using the experimental     permission model in Node.js 20 and Node.js 22. Please note that at the time this CVE was issued, the     permission model is an experimental feature of Node.js. Impact: Thank you, to haxatron1 for reporting this     vulnerability and thank you RafaelGSS for fixing it. (CVE-2024-22018)

  - The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix     that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. This     vulnerability affects Windows users of the Node.js Permission Model in version v22.x and v20.x Impact:
    Thank you, to tniessen for reporting this vulnerability and thank you RafaelGSS for fixing it.
    (CVE-2024-37372)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-2c52524694 advisory.

    ## 2024-04-10, Version 18.20.2 'Hydrogen' (LTS), @RafaelGSS

    This is a security release.

    ### Notable Changes

    * CVE-2024-27980 - Command injection via args parameter of `child_process.spawn` without shell option     enabled on Windows

    ### Commits

    * \[[`6627222409`](https://github.com/nodejs/node/commit/6627222409)] - **src**: disallow direct .bat and     .cmd file spawning (Ben Noordhuis) [nodejs-private/node-private#564](https://github.com/nodejs-     private/node-private/pull/564)

    <a id=18.20.1></a>


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-8d548b8c96 advisory.

    ## 2024-04-10, Version 18.20.2 'Hydrogen' (LTS), @RafaelGSS

    This is a security release.

    ### Notable Changes

    * CVE-2024-27980 - Command injection via args parameter of `child_process.spawn` without shell option     enabled on Windows

    ### Commits

    * \[[`6627222409`](https://github.com/nodejs/node/commit/6627222409)] - **src**: disallow direct .bat and     .cmd file spawning (Ben Noordhuis) [nodejs-private/node-private#564](https://github.com/nodejs-     private/node-private/pull/564)

    <a id=18.20.1></a>


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Node.js installed on the remote host is prior to 18.20.2, 20.12.2, 21.7.3. It is, therefore, affected by a command injection vulnerability as referenced in the Wednesday, April 10, 2024 Security Releases advisory.  This is due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument  can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
203010	SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:2574-1)	Nessus	SuSE Local Security Checks	high
202587	SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:2543-1)	Nessus	SuSE Local Security Checks	high
202586	SUSE SLES15 / openSUSE 15 Security Update : nodejs18 (SUSE-SU-2024:2542-1)	Nessus	SuSE Local Security Checks	high
202562	SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2024:2496-1)	Nessus	SuSE Local Security Checks	high
201969	Node.js 18.x < 18.20.4 / 20.x < 20.15.1 / 22.x < 22.4.1 Multiple Vulnerabilities (Monday, July 8, 2024 Security Releases).	Nessus	Misc.	critical
194541	Fedora 40 : nodejs18 (2024-2c52524694)	Nessus	Fedora Local Security Checks	high
193642	Fedora 39 : nodejs18 (2024-8d548b8c96)	Nessus	Fedora Local Security Checks	high
193573	Node.js 18.x < 18.20.2 / 20.x < 20.12.2 / 21.x < 21.7.3 Command Injection Vulnerability (Wednesday, April 10, 2024 Security Releases).	Nessus	Misc.	high

Detections

Analytics

CVE-2024-27980

high

Tenable Plugins

high

high

high

high

critical

high

high

high