ГлавнаяУязвимости → CVE-2024-3566
9.8критическая

CVE-2024-3566

Описание

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

Затрагиваемое ПО
Haskell Process libraryNodejs Node.jsPhp PhpRust-lang RustYt-dlp project Yt-dlpMicrosoft Windows
CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/https://kb.cert.org/vuls/id/123335https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-wayhttps://www.cve.org/CVERecord?id=CVE-2024-1874https://www.cve.org/CVERecord?id=CVE-2024-22423https://www.cve.org/CVERecord?id=CVE-2024-24576https://www.kb.cert.org/vuls/id/123335https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/