Vulnerabilites related to Go Programming Language - GoLang
cve-2024-3566
Vulnerability from cvelistv5
Published
2024-04-10 15:22
Modified
2024-08-22 18:25
Severity ?
EPSS score ?
Summary
A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Node.js | Node.js |
Version: * < |
|||||||||||
|
||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T20:12:07.971Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/", }, { tags: [ "x_transferred", ], url: "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way", }, { tags: [ "x_transferred", ], url: "https://kb.cert.org/vuls/id/123335", }, { tags: [ "x_transferred", ], url: "https://www.cve.org/CVERecord?id=CVE-2024-24576", }, { tags: [ "x_transferred", ], url: "https://www.cve.org/CVERecord?id=CVE-2024-1874", }, { tags: [ "x_transferred", ], url: "https://www.cve.org/CVERecord?id=CVE-2024-22423", }, { tags: [ "x_transferred", ], url: "https://www.kb.cert.org/vuls/id/123335", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "nodejs", vendor: "nodejs", versions: [ { lessThanOrEqual: "21.7.2", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:haskell:process_library:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "process_library", vendor: "haskell", versions: [ { lessThan: "1.6.19.0", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "rust", vendor: "rust-lang", versions: [ { lessThan: "1.77.2", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:thephpgroup:thephpgroup:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "thephpgroup", vendor: "thephpgroup", versions: [ { lessThan: "*", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:yt-dlp_project:yt-dlp:-:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "yt-dlp", vendor: "yt-dlp_project", versions: [ { lessThan: "*", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-3566", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-04-15T16:13:02.290928Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-22T18:25:43.487Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { platforms: [ "Windows", ], product: "Node.js", vendor: "Node.js", versions: [ { lessThanOrEqual: "21.7.2", status: "affected", version: "*", versionType: "custom", }, ], }, { platforms: [ "Windows", ], product: "GoLang", vendor: "Go Programming Language", versions: [ { status: "affected", version: "*", }, ], }, { platforms: [ "Windows", ], product: "Haskel", vendor: "Haskell Programming Language", versions: [ { status: "affected", version: "*", }, ], }, ], descriptions: [ { lang: "en", value: "A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-10T15:26:52.009Z", orgId: "37e5125f-f79b-445b-8fad-9564f167944b", shortName: "certcc", }, references: [ { url: "https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/", }, { url: "https://learn.microsoft.com/en-us/archive/blogs/twistylittlepassagesallalike/everyone-quotes-command-line-arguments-the-wrong-way", }, { url: "https://kb.cert.org/vuls/id/123335", }, { url: "https://www.cve.org/CVERecord?id=CVE-2024-24576", }, { url: "https://www.cve.org/CVERecord?id=CVE-2024-1874", }, { url: "https://www.cve.org/CVERecord?id=CVE-2024-22423", }, { url: "https://www.kb.cert.org/vuls/id/123335", }, ], source: { discovery: "UNKNOWN", }, title: "Command injection vulnerability in programing languages on Microsoft Windows operating system.", x_generator: { engine: "VINCE 2.1.12", env: "prod", origin: "https://cveawg.mitre.org/api/cve/CVE-2024-3566", }, }, }, cveMetadata: { assignerOrgId: "37e5125f-f79b-445b-8fad-9564f167944b", assignerShortName: "certcc", cveId: "CVE-2024-3566", datePublished: "2024-04-10T15:22:56.099Z", dateReserved: "2024-04-10T04:58:27.982Z", dateUpdated: "2024-08-22T18:25:43.487Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }