Vulnerability Report: GO-2022-0532
- CVE-2022-30580
- Affects: os/exec
- Published: Jul 26, 2022
- Modified: Jun 12, 2023
On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".
Affected Packages
-
PathVersionsSymbols
-
before go1.17.11, from go1.18.0-0 before go1.18.3
Aliases
References
- https://go.dev/cl/403759
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
- https://go.dev/issue/52574
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://vuln.go.dev/ID/GO-2022-0532.json
Credits
- Chris Darroch (chrisd8088@github.com)brian m. carlson (bk2204@github.com), Mikhail Shcherbakov (https://twitter.com/yu5k3)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.