CVE-2024-3566

Name of the Vulnerable Software and Affected Versions process versions prior to 1.6.19.0 GHC versions prior to 9.10.1-alpha3 GHC versions prior to 9.8.3 GHC versions prior to 9.6.5 Node.js versions up to 21.7.2

Description A command injection vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when specific conditions are satisfied. The issue arises when executing .bat or .cmd files, and the argument values include or are influenced by program input. This vulnerability was discovered in many programming languages' Windows process execution behavior. The estimated number of potentially affected devices is not specified.

Recommendations For process versions prior to 1.6.19.0, update to version 1.6.19.0 or later. For GHC versions prior to 9.10.1-alpha3, update to version 9.10.1-alpha3 or later. For GHC versions prior to 9.8.3, update to version 9.8.3 or later. For GHC versions prior to 9.6.5, update to version 9.6.5 or later. For Node.js versions up to 21.7.2, no fix is available yet, consider avoiding execution of batch files where arguments include or are influenced by untrusted program inputs, and reject arguments that include special characters including & and " as a temporary workaround.