Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-30580

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Published

2022-08-10T20:15:40.227

Last Modified

2024-11-21T07:02:58.367

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.8 (HIGH)

Weaknesses

Type: Primary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.17.11	Yes
Application	golang	go	< 1.18.3	Yes

References

https://go.dev/cl/403759 Vendor Advisory ([email protected])
https://go.dev/issue/52574 Issue Tracking, Third Party Advisory ([email protected])
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e Mailing List, Patch, Vendor Advisory ([email protected])
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ Mailing List, Third Party Advisory ([email protected])
https://pkg.go.dev/vuln/GO-2022-0532 Vendor Advisory ([email protected])
https://go.dev/cl/403759 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://go.dev/issue/52574 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e Mailing List, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://pkg.go.dev/vuln/GO-2022-0532 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)