BIT-golang-2022-30580

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/golang/BIT-golang-2022-30580.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-golang-2022-30580

Aliases

CVE-2022-30580
GO-2022-0532

Published

2024-03-06T11:00:32.217Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

References

https://go.dev/cl/403759
https://go.dev/issue/52574
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
https://pkg.go.dev/vuln/GO-2022-0532

Affected packages

Bitnami / golang

Package

Name: golang
Purl: pkg:bitnami/golang

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.11

Introduced

1.18.0

Fixed

1.18.3