Ubuntu.comUB:CVE-2022-41716CVE-2022-41716
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
42.1%
Due to unsanitized NUL values, attackers may be able to maliciously set
environment variables on Windows. In syscall.StartProcess and os/exec.Cmd,
invalid environment variable values containing NUL values are not properly
checked for. A malicious environment variable value can exploit this
behavior to set a value for a different environment variable. For example,
the environment variable string โA=B\x00C=Dโ sets the variables โA=Bโ and
โC=Dโ.
Notes
| Author | Note |
|---|---|
| mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
| ubuntu | 14.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
| ubuntu | 16.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
| ubuntu | 18.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
| ubuntu | 20.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
| ubuntu | 22.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
| ubuntu | 16.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
| ubuntu | 20.04 | noarch | golang-1.14 | <ย any | UNKNOWN |
| ubuntu | 18.04 | noarch | golang-1.16 | <ย any | UNKNOWN |
| ubuntu | 20.04 | noarch | golang-1.16 | <ย any | UNKNOWN |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
42.1%