CVE-2022-30580
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go standard library | os/exec | 0 < 1.17.11 | affected |
| Go standard library | os/exec | 1.18.0-0 < 1.18.3 | affected |
Weaknesses
- CWE-94: Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://go.dev/cl/403759
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
- https://go.dev/issue/52574
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://pkg.go.dev/vuln/GO-2022-0532
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://go.dev/cl/403759
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
- https://go.dev/issue/52574
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://pkg.go.dev/vuln/GO-2022-0532
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.