CVE-2022-30580

EPSS 0.03%
Veröffentlicht 10.08.2022 20:15:40
Zuletzt bearbeitet 21.11.2024 07:02:58
Quelle security@golang.org
Teams Watchlist Login
Unerledigt Login

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Golang ≫ Go Version < 1.17.11

Golang ≫ Go Version >= 1.18.0 < 1.18.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.067

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

Third Party Advisory

Mailing List

https://go.dev/cl/403759

Vendor Advisory

https://go.dev/issue/52574

Third Party Advisory

Issue Tracking

https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e

Patch

Vendor Advisory

Mailing List