Bug 2118605 (CVE-2022-30580) - CVE-2022-30580 golang: os/exec: Code injection in Cmd.Start
Summary: CVE-2022-30580 golang: os/exec: Code injection in Cmd.Start
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-30580
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2117836
TreeView+ depends on / blocked
 
Reported: 2022-08-16 09:11 UTC by Avinash Hanwate
Modified: 2023-09-01 03:53 UTC (History)
147 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the os/exec golang package. This issue occurs when invoking different Cmd methods and the Cmd.Path is unset. This could lead to a command injection, allowing an attacker to execute any binaries in the working directory.
Clone Of:
Environment:
Last Closed: 2022-08-19 16:53:32 UTC
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2022-08-16 09:11:23 UTC 
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
https://go.dev/cl/403759
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
https://pkg.go.dev/vuln/GO-2022-0532
https://go.dev/issue/52574
Comment 1 Sage McTaggart 2022-08-19 16:49:43 UTC 
only affects windows. closing main task as not a bug.
Note You need to log in before you can comment on or make changes to this bug.