CVE-2022-30580

Published: Aug 9, 2022

Modified: Mar 6, 2026

PUBLISHED

Description

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

Vendor	Product	Versions
Go standard library	os/exec	affected `0 - < 1.17.11` affected `1.18.0-0 - < 1.18.3`

References

https://go.dev/cl/403759

https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e

https://go.dev/issue/52574

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

https://pkg.go.dev/vuln/GO-2022-0532

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-30580

Description

Affected Products

References