{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-3566","assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","state":"PUBLISHED","assignerShortName":"certcc","dateReserved":"2024-04-10T04:58:27.982Z","datePublished":"2024-04-10T15:22:56.099Z","dateUpdated":"2025-11-18T17:35:41.547Z"},"containers":{"cna":{"title":"Command injection vulnerability in programing languages on Microsoft Windows operating system.","descriptions":[{"lang":"en","value":"A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied."}],"source":{"discovery":"UNKNOWN"},"affected":[{"vendor":"Node.js","product":"Node.js","platforms":["Windows"],"versions":[{"status":"affected","version":"*","lessThanOrEqual":"21.7.2","versionType":"custom"}]},{"vendor":"Go Programming Language","product":"GoLang","platforms":["Windows"],"versions":[{"status":"affected","version":"*"}]},{"vendor":"Haskell Programming Language","product":"Haskel","platforms":["Windows"],"versions":[{"status":"affected","version":"*"}]}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}],"references":[{"url":"https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"},{"url":"https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"},{"url":"https://kb.cert.org/vuls/id/123335"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-24576"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-1874"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-22423"},{"url":"https://www.kb.cert.org/vuls/id/123335"}],"x_generator":{"engine":"VINCE 2.1.12","env":"prod","origin":"https://cveawg.mitre.org/api/cve/CVE-2024-3566"},"providerMetadata":{"orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc","dateUpdated":"2024-04-10T15:26:52.009Z"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-18T17:35:41.547Z"},"references":[{"url":"https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566"},{"tags":["x_transferred"],"url":"https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/"},{"tags":["x_transferred"],"url":"https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way"},{"tags":["x_transferred"],"url":"https://kb.cert.org/vuls/id/123335"},{"tags":["x_transferred"],"url":"https://www.cve.org/CVERecord?id=CVE-2024-24576"},{"tags":["x_transferred"],"url":"https://www.cve.org/CVERecord?id=CVE-2024-1874"},{"tags":["x_transferred"],"url":"https://www.cve.org/CVERecord?id=CVE-2024-22423"},{"tags":["x_transferred"],"url":"https://www.kb.cert.org/vuls/id/123335"}],"title":"CVE Program Container","x_generator":{"engine":"ADPogram 0.0.1"}},{"affected":[{"vendor":"nodejs","product":"nodejs","cpes":["cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThanOrEqual":"21.7.2","versionType":"custom"}]},{"vendor":"haskell","product":"process_library","cpes":["cpe:2.3:a:haskell:process_library:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"1.6.19.0","versionType":"custom"}]},{"vendor":"rust-lang","product":"rust","cpes":["cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"1.77.2","versionType":"custom"}]},{"vendor":"thephpgroup","product":"thephpgroup","cpes":["cpe:2.3:a:thephpgroup:thephpgroup:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"*","versionType":"custom"}]},{"vendor":"yt-dlp_project","product":"yt-dlp","cpes":["cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThan":"*","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-04-15T16:13:02.290928Z","id":"CVE-2024-3566","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-08-22T18:25:43.487Z"}}]}}