7.8

CVE-2022-30580

Empty Cmd.Path can trigger unintended binary in os/exec on Windows

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version < 1.17.11
GolangGo Version >= 1.18.0 < 1.18.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.58% 0.43
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
Third Party Advisory
Mailing List
https://go.dev/cl/403759
Vendor Advisory
https://go.dev/issue/52574
Third Party Advisory
Issue Tracking
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
Patch
Vendor Advisory
Mailing List
https://pkg.go.dev/vuln/GO-2022-0532
Vendor Advisory