CVE-2024-3566
🔴 Łataj teraz
Wstrzyknięcie poleceń w aplikacjach Windows umożliwia atakującemu wykonanie złośliwego kodu.
CVSS
9.8
EPSS
9.6%
Exploit
poc
Vendor
nodejs
Opis źródłowy (NVD)
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
exploit rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 9.6% |
| Opublikowano (NVD) | 2024-04-10 16:15:16 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-15 15:03:11 UTC |
Referencje
- https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ (cret@cert.org) [Exploit, Third Party Advisory]
- https://kb.cert.org/vuls/id/123335 (cret@cert.org) [Third Party Advisory]
- https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way (cret@cert.org) [Technical Description]
- https://www.cve.org/CVERecord?id=CVE-2024-1874 (cret@cert.org) [Not Applicable]
- https://www.cve.org/CVERecord?id=CVE-2024-22423 (cret@cert.org) [Not Applicable]
- https://www.cve.org/CVERecord?id=CVE-2024-24576 (cret@cert.org) [Not Applicable]
- https://www.kb.cert.org/vuls/id/123335 (cret@cert.org) [Not Applicable]
- https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2024/CVE-2024-3566 (af854a3a-2127-422b-91ae-364da2661108) [Third Party Advisory]