CVE-2022-30580
Published: 10 August 2022
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Priority
Status
Package | Release | Status |
---|---|---|
golang-1.11 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
(debian: Only affects Go on Windows)
|
golang-1.15 Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(windows only)
|
upstream |
Not vulnerable
(debian: Only affects Go on Windows)
|
|
golang-1.17 Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(windows only)
|
jammy |
Not vulnerable
(windows only)
|
|
kinetic |
Does not exist
|
|
upstream |
Not vulnerable
(debian: Only affects Go on Windows)
|
|
golang-1.18 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(windows only)
|
focal |
Not vulnerable
(windows only)
|
|
jammy |
Not vulnerable
(windows only)
|
|
kinetic |
Does not exist
|
|
upstream |
Not vulnerable
(debian: Only affects Go on Windows)
|
|
golang-1.7 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
(debian: Only affects Go on Windows)
|
golang-1.8 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(windows only)
|
upstream |
Not vulnerable
(debian: Only affects Go on Windows)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |