CVE-2022-30580
published 2022-08-10CVE-2022-30580: Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or…
PriorityP339high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.58%
43.2th percentile
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| go_standard_library | os_exec | < 1.17.11 | 1.17.11 |
| go_standard_library | os_exec | >= 1.18.0-0 < 1.18.3 | 1.18.3 |
| golang | go | < 1.17.11 | 1.17.11 |
| golang | go | >= 1.18.0 < 1.18.3 | 1.18.3 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.18.5-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_golang_1.18.5-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_debian7.8LOW
vendor_msrc7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: os/exec: Code injection in Cmd.Start
vendor_redhat·2022-08-10·CVSS 7.8
CVE-2022-30580 [HIGH] CWE-94 golang: os/exec: Code injection in Cmd.Start
golang: os/exec: Code injection in Cmd.Start
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
A flaw was found in the os/exec golang package. This issue occurs when invoking different Cmd methods and the Cmd.Path is unset. This could lead to a command injection, allowing an attacker to execute any binaries in the working directory.
Statement: The CVE-2022-30580 affects windows only, where empty Cmd.Path can result in running unintended binary on Windows.
Packages shipped with Red Hat Enterprise Linux - 8 and 9 are unaffected.
Package: custom-metrics-autoscaler/custom-metrics-autoscaler-rh
Microsoft
Empty Cmd.Path can trigger unintended binary in os/exec on Windows
vendor_msrc·2022-08-09·CVSS 7.8
CVE-2022-30580 [HIGH] CWE-94 Empty Cmd.Path can trigger unintended binary in os/exec on Windows
Empty Cmd.Path can trigger unintended binary in os/exec on Windows
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://
Debian
CVE-2022-30580: golang-1.15 - Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows ex...
vendor_debian·2022·CVSS 7.8
CVE-2022-30580 [HIGH] CVE-2022-30580: golang-1.15 - Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows ex...
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Scope: local
bullseye: resolved
GHSA
GHSA-2v97-2cxm-mvp4: Code injection in Cmd
ghsa_unreviewed·2022-08-11
CVE-2022-30580 [HIGH] CWE-94 GHSA-2v97-2cxm-mvp4: Code injection in Cmd
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
OSV
Empty Cmd.Path can trigger unintended binary in os/exec on Windows
osv·2022-07-26
CVE-2022-30580 Empty Cmd.Path can trigger unintended binary in os/exec on Windows
Empty Cmd.Path can trigger unintended binary in os/exec on Windows
On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".
No detection rules found.
No public exploits indexed.
https://go.dev/cl/403759https://go.dev/issue/52574https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345ehttps://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJhttps://pkg.go.dev/vuln/GO-2022-0532https://go.dev/cl/403759https://go.dev/issue/52574https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345ehttps://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJhttps://pkg.go.dev/vuln/GO-2022-0532
2022-08-10
Published