CVE-2024-3566
critical
CVSS v3
9.8
CVSS v2
—
VIR risk
9.8
Description
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-3566
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| haskell | process_library | {"endExcluding":"1.6.19.0"} | 1.6.19.0 |
| nodejs | node.js | {"endExcluding":"18.20.2"} | 18.20.2 |
| php | php | {"endExcluding":"8.1.28"} | 8.1.28 |
| rust-lang | rust | {"endExcluding":"1.77.2"} | 1.77.2 |
| yt-dlp_project | yt-dlp | {"startIncluding":"2021.04.11","endExcluding":"2024.04.09"} | 2024.04.09 |
References
- https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
- https://kb.cert.org/vuls/id/123335
- https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way
- https://www.cve.org/CVERecord?id=CVE-2024-1874
- https://www.cve.org/CVERecord?id=CVE-2024-22423
- https://www.cve.org/CVERecord?id=CVE-2024-24576
- https://www.kb.cert.org/vuls/id/123335
- https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566
- https://security-tracker.debian.org/tracker/CVE-2024-3566
CWEs
CWE-77
Verify integrity in audit chain (admin only). AS-IS.