GO-2022-0532

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0532

Import Source

https://vuln.go.dev/ID/GO-2022-0532.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0532

Aliases

Published

2022-07-26T21:41:20Z

Modified

2024-05-20T16:03:47Z

Summary

Empty Cmd.Path can trigger unintended binary in os/exec on Windows

Details

On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".

References

Credits

- Chris Darroch (chrisd8088@github.com)
- brian m. carlson (bk2204@github.com)
- Mikhail Shcherbakov (https://twitter.com/yu5k3)

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.17.11

Introduced

1.18.0-0

Fixed

1.18.3

Ecosystem specific

{
    "imports": [
        {
            "path": "os/exec",
            "symbols": [
                "Cmd.Start"
            ],
            "goos": [
                "windows"
            ]
        }
    ]
}