← back
CVE-2022-30580

Empty Cmd.Path can trigger unintended binary in os/exec on Windows

CVSS 7.8 HIGHEPSS 0.6%CWE-94
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.8EPSS 0.6%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Aug 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Go standard library · os/exec

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://go.dev/cl/403759https://go.dev/issue/52574https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345ehttps://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJhttps://pkg.go.dev/vuln/GO-2022-0532