CVE-2024-3566

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
certccCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Debian logo
Debian Releases
Debian Product
Codename
nodejs
bullseye
12.22.12~dfsg-1~deb11u4
fixed
bullseye (security)
12.22.12~dfsg-1~deb11u7
fixed
bookworm
18.19.0+dfsg-6~deb12u2
fixed
bookworm (security)
18.19.0+dfsg-6~deb12u1
fixed
trixie
20.19.0+dfsg1-1
fixed
sid
20.19.2+dfsg-1
fixed
References
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
https://kb.cert.org/vuls/id/123335
https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
https://www.cve.org/CVERecord?id=CVE-2024-1874
https://www.cve.org/CVERecord?id=CVE-2024-22423
https://www.cve.org/CVERecord?id=CVE-2024-24576
https://www.kb.cert.org/vuls/id/123335
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
https://kb.cert.org/vuls/id/123335
https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
https://www.cve.org/CVERecord?id=CVE-2024-1874
https://www.cve.org/CVERecord?id=CVE-2024-22423
https://www.cve.org/CVERecord?id=CVE-2024-24576
https://www.kb.cert.org/vuls/id/123335