CVE-2022-30580

high

Description

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

References

Advisories
More

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

https://go.dev/issue/52574

https://pkg.go.dev/vuln/GO-2022-0532

https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e

https://go.dev/cl/403759

Details

Source: Mitre, NVD

Published: 2022-08-10

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00025

Detections

Analytics