Vulnerability Description
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.17.11 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/403759Vendor Advisory
- https://go.dev/issue/52574Issue TrackingThird Party Advisory
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345eMailing ListPatchVendor Advisory
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJMailing ListThird Party Advisory
- https://pkg.go.dev/vuln/GO-2022-0532Vendor Advisory
- https://go.dev/cl/403759Vendor Advisory
- https://go.dev/issue/52574Issue TrackingThird Party Advisory
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345eMailing ListPatchVendor Advisory
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJMailing ListThird Party Advisory
- https://pkg.go.dev/vuln/GO-2022-0532Vendor Advisory
FAQ
What is CVE-2022-30580?
CVE-2022-30580 is a vulnerability with a CVSS score of 7.8 (HIGH). Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Outp...
How severe is CVE-2022-30580?
CVE-2022-30580 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-30580?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.