PT-2022-20188 · Google+2 · Go+2

Bk2204

Published

2022-06-07

Updated

2026-03-06

CVE-2022-30580

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.17.11 Go versions prior to 1.18.3

Description The issue allows for code injection in Cmd.Start in os/exec, enabling the execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. This occurs on Windows.

Recommendations For Go versions prior to 1.17.11, update to Go 1.17.11 or later to resolve the issue. For Go versions prior to 1.18.3, update to Go 1.18.3 or later to resolve the issue. As a temporary workaround, consider setting Cmd.Path to a specific executable to avoid unintentional execution of binaries in the working directory.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

ALT-PU-2022-2036

ALT-PU-2022-2041

ALT-PU-2022-2873

ALT-PU-2023-1205

AZL-10532

AZL-79108

BIT-GOLANG-2022-30580

CVE-2022-30580

GO-2022-0532

OPENSUSE-SU-2022_2004-1

OPENSUSE-SU-2022_2005-1

OPENSUSE-SU-2024:12123-1

OPENSUSE-SU-2024:12124-1

SUSE-SU-2022:2004-1

SUSE-SU-2022:2005-1

SUSE-SU-2023:2312-1

Affected Products

Alt Linux

Suse

PT-2022-20188 · Google+2 · Go+2

CVE-2022-30580

Weakness Enumeration

Related Identifiers

Affected Products

References · 84