Vulnerability Report: GO-2022-0532
standard library- CVE-2022-30580
- Affects: os/exec
- Published: Jul 26, 2022
- Modified: May 20, 2024
On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".
Affected Packages
-
PathVersionsSymbols
-
before go1.17.11, from go1.18.0-0 before go1.18.3
Aliases
References
- https://golang.ir/cl/403759
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
- https://golang.ir/issue/52574
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://vuln.go.dev/ID/GO-2022-0532.json
Credits
- Chris Darroch ([email protected]), brian m. carlson ([email protected]), Mikhail Shcherbakov (https://twitter.com/yu5k3)
Feedback
See anything missing or incorrect?
Suggest an edit to this report.