Your submission was sent successfully! Close

CVE-2022-30580

Published: 10 August 2022

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
golang-1.11
Launchpad, Ubuntu, Debian
upstream Not vulnerable
(debian: Only affects Go on Windows)
golang-1.15
Launchpad, Ubuntu, Debian
impish Not vulnerable
(windows only)
upstream Not vulnerable
(debian: Only affects Go on Windows)
golang-1.17
Launchpad, Ubuntu, Debian
impish Not vulnerable
(windows only)
jammy Not vulnerable
(windows only)
kinetic Does not exist

upstream Not vulnerable
(debian: Only affects Go on Windows)
golang-1.18
Launchpad, Ubuntu, Debian
jammy Not vulnerable
(windows only)
kinetic Does not exist

upstream Not vulnerable
(debian: Only affects Go on Windows)
golang-1.7
Launchpad, Ubuntu, Debian
upstream Not vulnerable
(debian: Only affects Go on Windows)
golang-1.8
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(windows only)
upstream Not vulnerable
(debian: Only affects Go on Windows)