CVE-2022-30580

Name
CVE-2022-30580
Description
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
MISC https://go.dev/cl/403759
MISC https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
MISC https://pkg.go.dev/vuln/GO-2022-0532
MISC https://go.dev/issue/52574

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= 1.18.0 < 1.18.3
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None < 1.17.11

Vulnerable and fixed packages

Source package Branch Version Maintainer Status