Bug 2118605 (CVE-2022-30580) - CVE-2022-30580 golang: os/exec: Code injection in Cmd.Start
Summary: CVE-2022-30580 golang: os/exec: Code injection in Cmd.Start
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-30580
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2117836
TreeView+ depends on / blocked
 
Reported: 2022-08-16 09:11 UTC by Avinash Hanwate
Modified: 2022-08-19 16:53 UTC (History)
147 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-19 16:53:32 UTC


Attachments (Terms of Use)

Description Avinash Hanwate 2022-08-16 09:11:23 UTC
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
https://go.dev/cl/403759
https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
https://pkg.go.dev/vuln/GO-2022-0532
https://go.dev/issue/52574

Comment 1 amctagga 2022-08-19 16:49:43 UTC
only affects windows. closing main task as not a bug.


Note You need to log in before you can comment on or make changes to this bug.