Command Injection Vulnerability Affects Windows Applications
CVE-2024-3566

9.8CRITICAL

Key Information:

Vendor: Node.js
Status: Node.js; Golang; Haskel
Vendor: CVE Published:; 10 April 2024

What is CVE-2024-3566?

A command injection vulnerability in Windows applications enables attackers to manipulate the execution of commands through weaknesses in how applications that rely on the CreateProcess function handle command-line arguments. This vulnerability can be exploited under specific conditions, allowing unauthorized command execution and potentially leading to security breaches. Developers are encouraged to review their coding practices to ensure safe parameter handling, especially regarding user input that may affect command execution.

Affected Version(s)

GoLang Windows *

Haskel Windows *

Node.js Windows * <= 21.7.2

References

https://flatt.tech/research/posts/batbadbut-you-cant-secu...

https://learn.microsoft.com/en-us/archive/blogs/twistylit...

https://kb.cert.org/vuls/id/123335

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Apr 10, 2024

JSON