blob: aa7839ba85a72eed4e29d41777027434ef73a46b [file] [log] [blame]
id: GO-2022-0532
modules:
- module: std
versions:
- fixed: 1.17.11
- introduced: 1.18.0-0
- fixed: 1.18.3
vulnerable_at: 1.18.2
packages:
- package: os/exec
goos:
- windows
symbols:
- Cmd.Start
summary: Empty Cmd.Path can trigger unintended binary in os/exec on Windows
description: |-
On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when
Cmd.Path is unset will unintentionally trigger execution of any binaries in the
working directory named either "..com" or "..exe".
published: 2022-07-26T21:41:20Z
credits:
- Chris Darroch (chrisd8088@github.com)
- brian m. carlson (bk2204@github.com)
- Mikhail Shcherbakov (https://twitter.com/yu5k3)
references:
- fix: https://go.dev/cl/403759
- fix: https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
- report: https://go.dev/issue/52574
- web: https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
cve_metadata:
id: CVE-2022-30580
cwe: 'CWE-94: Improper Control of Generation of Code (''Code Injection'')'
description: |-
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows
execution of any binaries in the working directory named either "..com" or
"..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when
Cmd.Path is unset.
review_status: REVIEWED