CVE-2022-30580

2022-08-1020:15:40

CWE-94

web.nvd.nist.gov

205

cve-2022-30580

code injection

cmd.start

os/exec

security vulnerability

go 1.17.11

go 1.18.3

nvd

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

Percentile

14.2%

JSON

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either “…com” or “…exe” by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Affected configurations

Nvd

Node

golanggoRange<1.17.11

golanggoRange1.18.0–1.18.3

VendorProductVersionCPE
golanggo*cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
golang	go	*	cpe:2.3:a:golang:go::::::::

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "os/exec",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "os/exec",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.17.11",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.18.0-0",
        "lessThan": "1.18.3",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "platforms": [
      "windows"
    ],
    "programRoutines": [
      {
        "name": "Cmd.Start"
      }
    ],
    "defaultStatus": "unaffected"
  }
]