Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-08-09T20:18:04

Updated: 2024-08-03T06:56:12.971Z

Reserved: 2022-05-11T00:00:00

Link: CVE-2022-30580

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-08-10T20:15:40.227

Modified: 2024-11-21T07:02:58.367

Link: CVE-2022-30580

cve-icon Redhat

Severity : Moderate

Publid Date: 2022-08-10T00:00:00Z

Links: CVE-2022-30580 - Bugzilla