DEBIAN-CVE-2022-41716

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2022-41716

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2022-41716.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2022-41716

Upstream

CVE-2022-41716

Published

2022-11-02T16:15:11Z

Modified

2025-09-25T23:27:49.583958Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

References

https://security-tracker.debian.org/tracker/CVE-2022-41716

Affected packages

Debian:11 / golang-1.15

Package

Name: golang-1.15
Purl: pkg:deb/debian/golang-1.15?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.15.9-6

1.15.15-1~deb11u1

1.15.15-1~deb11u2

1.15.15-1~deb11u3

1.15.15-1~deb11u4

1.15.15-1

1.15.15-2

1.15.15-3

1.15.15-4

1.15.15-5

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / golang-1.19

Package

Name: golang-1.19
Purl: pkg:deb/debian/golang-1.19?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.19.3-1

Ecosystem specific

{
    "urgency": "unimportant"
}