Node.js is used as runtime and SDK for Apache Cordova applications within IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition. A remote execution of arbitrary commands vulnerability affecting Node.js has been published in this security bulletin. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.
CVEID:CVE-2024-27980
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by the improper handling of batch files in child_process.spawn / child_process.spawnSync. By sending a specially crafted command line argument using args parameter, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287430 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
RDi | 9.6 |
The issue can be fixed by loading a new version of Node.js.
Products(s) | Versions(s) | Remediation/Fix/Instructions |
---|---|---|
IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition | 9.6.0.0 - 9.6.0.13 |
IBM strongly recommends addressing the vulnerability now by upgrading to the latest Node.js 18.x version, please follow Upgrading the Node.js that is used by Cordova or NodeRed to upgrade.
None