CVE-2024-3566 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
certcc	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 90%

Vendor	Product	Version
golang	go	*
haskell	process_library	1.6.19.0
nodejs	node.js	𝑥 ≤ 21.7.2
php	php	*
rust-lang	rust	1.77.2
yt-dlp_project	yt-dlp	*

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nodejs

bullseye	12.22.12~dfsg-1~deb11u4 fixed
bullseye (security)	12.22.12~dfsg-1~deb11u7 fixed
bookworm	18.20.4+dfsg-1~deb12u1 fixed
bookworm (security)	18.20.4+dfsg-1~deb12u1 fixed
trixie	20.19.2+dfsg-1 fixed
forky	20.19.5+dfsg+~cs20.19.24-1 fixed
sid	22.21.1+dfsg+~cs22.19.0-5 fixed

Known Exploits!

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

https://kb.cert.org/vuls/id/123335

https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way

https://www.cve.org/CVERecord?id=CVE-2024-1874

https://www.cve.org/CVERecord?id=CVE-2024-22423

https://www.cve.org/CVERecord?id=CVE-2024-24576

https://www.kb.cert.org/vuls/id/123335

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566

https://kb.cert.org/vuls/id/123335

https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way

https://www.cve.org/CVERecord?id=CVE-2024-1874

https://www.cve.org/CVERecord?id=CVE-2024-22423

https://www.cve.org/CVERecord?id=CVE-2024-24576

https://www.kb.cert.org/vuls/id/123335