CVE-2022-30580

NameCVE-2022-30580
DescriptionCode injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.11 (PTS)buster, buster (security)1.11.6-1+deb10u4fixed
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4fixed
golang-1.18 (PTS)bookworm, sid1.18.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.11source(unstable)(not affected)
golang-1.15source(unstable)(not affected)
golang-1.17source(unstable)(not affected)
golang-1.18source(unstable)(not affected)
golang-1.7source(unstable)(not affected)
golang-1.8source(unstable)(not affected)

Notes

- golang-1.18 <not-affected> (Only affects Go on Windows)
- golang-1.17 <not-affected> (Only affects Go on Windows)
- golang-1.15 <not-affected> (Only affects Go on Windows)
- golang-1.11 <not-affected> (Only affects Go on Windows)
- golang-1.8 <not-affected> (Only affects Go on Windows)
- golang-1.7 <not-affected> (Only affects Go on Windows)
https://go.dev/issue/52574

Search for package or bug name: Reporting problems