| id: GO-2022-1095 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.18.8 |
| - introduced: 1.19.0-0 |
| - fixed: 1.19.3 |
| vulnerable_at: 1.19.2 |
| packages: |
| - package: syscall |
| goos: |
| - windows |
| symbols: |
| - StartProcess |
| - package: os/exec |
| goos: |
| - windows |
| symbols: |
| - Cmd.environ |
| - dedupEnv |
| - dedupEnvCase |
| derived_symbols: |
| - Cmd.CombinedOutput |
| - Cmd.Environ |
| - Cmd.Output |
| - Cmd.Run |
| - Cmd.Start |
| summary: Unsanitized NUL in environment variables on Windows in syscall and os/exec |
| description: |- |
| Due to unsanitized NUL values, attackers may be able to maliciously set |
| environment variables on Windows. |
| |
| In syscall.StartProcess and os/exec.Cmd, invalid environment variable values |
| containing NUL values are not properly checked for. A malicious environment |
| variable value can exploit this behavior to set a value for a different |
| environment variable. For example, the environment variable string "A=B\x00C=D" |
| sets the variables "A=B" and "C=D". |
| credits: |
| - RyotaK (https://twitter.com/ryotkak) |
| references: |
| - report: https://go.dev/issue/56284 |
| - fix: https://go.dev/cl/446916 |
| - web: https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ |
| cve_metadata: |
| id: CVE-2022-41716 |
| cwe: 'CWE-158: Improper Neutralization of Null Byte or NUL Character' |
| review_status: REVIEWED |