CVE-2022-30580

NameCVE-2022-30580
DescriptionCode injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang (PTS)jessie, jessie (lts)2:1.3.3-1+deb8u5fixed
golang-1.11 (PTS)buster (security), buster, buster (lts)1.11.6-1+deb10u7fixed
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4fixed
golang-1.7 (PTS)stretch (security), stretch (lts), stretch1.7.4-2+deb9u5fixed
golang-1.8 (PTS)stretch (security), stretch (lts), stretch1.8.1-1+deb9u5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golangsource(unstable)(not affected)
golang-1.11source(unstable)(not affected)
golang-1.15source(unstable)(not affected)
golang-1.17unknown(unstable)(not affected)
golang-1.18source(unstable)(not affected)
golang-1.7source(unstable)(not affected)
golang-1.8source(unstable)(not affected)

Notes

- golang-1.18 <not-affected> (Only affects Go on Windows)
- golang-1.17 <not-affected> (Only affects Go on Windows)
- golang-1.15 <not-affected> (Only affects Go on Windows)
- golang-1.11 <not-affected> (Only affects Go on Windows)
- golang-1.8 <not-affected> (Only affects Go on Windows)
- golang-1.7 <not-affected> (Only affects Go on Windows)
https://go.dev/issue/52574
- golang <not-affected> (Only affects Go on Windows)

Search for package or bug name: Reporting problems