GO-2022-0532

Source
https://pkg.go.dev/vuln/GO-2022-0532
Import Source
https://vuln.go.dev/ID/GO-2022-0532.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0532
Aliases
Published
2022-07-26T21:41:20Z
Modified
2024-05-20T16:03:47Z
Summary
Empty Cmd.Path can trigger unintended binary in os/exec on Windows
Details

On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".

References
Credits
    • Chris Darroch (chrisd8088@github.com)
    • brian m. carlson (bk2204@github.com)
    • Mikhail Shcherbakov (https://twitter.com/yu5k3)

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.17.11
Introduced
1.18.0-0
Fixed
1.18.3

Ecosystem specific

{
    "imports": [
        {
            "path": "os/exec",
            "symbols": [
                "Cmd.Start"
            ],
            "goos": [
                "windows"
            ]
        }
    ]
}