blob: 31c75f886bdcf529f774d64e7f4f381c03ce01ae [file] [log] [blame]
id: GO-2022-1095
modules:
- module: std
versions:
- fixed: 1.18.8
- introduced: 1.19.0-0
- fixed: 1.19.3
vulnerable_at: 1.19.2
packages:
- package: syscall
goos:
- windows
symbols:
- StartProcess
- package: os/exec
goos:
- windows
symbols:
- Cmd.environ
- dedupEnv
- dedupEnvCase
derived_symbols:
- Cmd.CombinedOutput
- Cmd.Environ
- Cmd.Output
- Cmd.Run
- Cmd.Start
summary: Unsanitized NUL in environment variables on Windows in syscall and os/exec
description: |-
Due to unsanitized NUL values, attackers may be able to maliciously set
environment variables on Windows.
In syscall.StartProcess and os/exec.Cmd, invalid environment variable values
containing NUL values are not properly checked for. A malicious environment
variable value can exploit this behavior to set a value for a different
environment variable. For example, the environment variable string "A=B\x00C=D"
sets the variables "A=B" and "C=D".
credits:
- RyotaK (https://twitter.com/ryotkak)
references:
- report: https://go.dev/issue/56284
- fix: https://go.dev/cl/446916
- web: https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ
cve_metadata:
id: CVE-2022-41716
cwe: 'CWE-158: Improper Neutralization of Null Byte or NUL Character'
review_status: REVIEWED