CVE-2024-3566 — Command injection vulnerability in programing languages on Microsoft Windows ope

Description

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

How to fix CVE-2024-3566

To remediate CVE-2024-3566, upgrade the affected package to a fixed version below.

Bitnami/node—upgrade to 18.19.0 or later
—upgrade to 18.20.5 or later
—upgrade to 1.6.23.0 or later

Is CVE-2024-3566 being exploited?

Moderate — EPSS is 9.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

>= 1.77.2, < 18.19.0
>= 1.77.2, < 18.20.5
>= 1.0.0.0, < 1.6.23.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (11)

ADVISORYflatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
ADVISORYkb.cert.org/vuls/id/123335
PATCHgithub.com/haskell/process/commit/3c419f9eeedac024c9dccce544e5a6fb587179a5
PATCHgithub.com/haskell/process/commit/5fc91f5f36ed4479be2b95f04f264bb78ac8089d