CVE-2022-30580 — Code Injection in Standard Library OS Exec

CWE-94 — Code Injection7 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 81.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library OS Exec Golang GO

Timeline

PublishedAug 10

Latest updateAug 11

Description

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5go_standard_library/os_exec1.18.0-0 — 1.18.3+1

▶NVDgolang/go1.18.0 — 1.18.3+1

Patches

Patch: go.googlesource.com ↗Patch: go.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-2v97-2cxm-mvp4: Code injection in Cmd↗2022-08-11

▶

CVEList

Empty Cmd.Path can trigger unintended binary in os/exec on Windows↗2022-08-09

▶

OSV

Empty Cmd.Path can trigger unintended binary in os/exec on Windows↗2022-07-26

▶

📋Vendor Advisories

Red Hat

golang: os/exec: Code injection in Cmd.Start↗2022-08-10

▶

Microsoft

Empty Cmd.Path can trigger unintended binary in os/exec on Windows↗2022-08-09

▶

Debian

CVE-2022-30580: golang-1.15 - Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows ex...↗2022

▶