Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
References
Link | Resource |
---|---|
https://go.dev/cl/403759 | Vendor Advisory |
https://go.dev/issue/52574 | Issue Tracking Third Party Advisory |
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e | Mailing List Patch Vendor Advisory |
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ | Mailing List Third Party Advisory |
https://pkg.go.dev/vuln/GO-2022-0532 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: Go
Published: 2022-08-09T20:18:04
Updated: 2023-06-12T19:12:35.518Z
Reserved: 2022-05-11T00:00:00
Link: CVE-2022-30580
JSON object: View
NVD Information
Status : Modified
Published: 2022-08-10T20:15:40.227
Modified: 2023-11-07T03:47:15.540
Link: CVE-2022-30580
JSON object: View
Redhat Information
No data.
CWE