CVE-2024-36138
https://notcve.org/view.php?id=CVE-2024-36138
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-36137 – nodejs: fs.fchown/fchmod bypasses permission model
https://notcve.org/view.php?id=CVE-2024-36137
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on file descriptors. However, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases https://access.redhat.com/security/cve/CVE-2024-36137 https://bugzilla.redhat.com/show_bug.cgi?id=2299281 • CWE-732: Incorrect Permission Assignment for Critical Resource •