Vulnerability Report: GO-2022-0532

CVE-2022-30580
Affects: os/exec
Published: Jul 26, 2022
Modified: Jun 12, 2023

On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".

Affected Packages

Path

Versions

Symbols
os/exec

before go1.17.11, from go1.18.0-0 before go1.18.3
- Cmd.Start

Aliases

CVE-2022-30580

References

https://go.dev/cl/403759
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
https://go.dev/issue/52574
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
https://vuln.go.dev/ID/GO-2022-0532.json

Credits

Chris Darroch (chrisd8088@github.com)brian m. carlson (bk2204@github.com), Mikhail Shcherbakov (https://twitter.com/yu5k3)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL