| Vulnerability Name: | CVE-2022-30580 (CCN-229858) | ||||||||||||||||||||||||||||||||||||
| Assigned: | 2022-06-01 | ||||||||||||||||||||||||||||||||||||
| Published: | 2022-06-01 | ||||||||||||||||||||||||||||||||||||
| Updated: | 2022-08-12 | ||||||||||||||||||||||||||||||||||||
| Summary: | Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. | ||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
| ||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-94 | ||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-30580 Source: XF Type: UNKNOWN golang-cve202230580-code-exec(229858) Source: MISC Type: Vendor Advisory https://go.dev/cl/403759 Source: CCN Type: Golang Web site go1.18.3 (released 2022-06-01) Source: MISC Type: Issue Tracking, Third Party Advisory https://go.dev/issue/52574 Source: MISC Type: Mailing List, Patch, Vendor Advisory https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e Source: CCN Type: Golang Web page [security] Go 1.18.3 and Go 1.17.11 are released Source: MISC Type: Mailing List, Third Party Advisory https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ Source: MISC Type: Vendor Advisory https://pkg.go.dev/vuln/GO-2022-0532 Source: CCN Type: IBM Security Bulletin 6619905 (Spectrum Copy Data Management) Vulnerabilities in Golang Go, PostgreSQL, jQuery, and Google Gson may affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6619915 (Spectrum Protect Plus) Vulnerabilities in Linux Kernel, OpenSSL, Golang Go, and Zlib may affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6619963 (Spectrum Protect Plus) Vulnerabilities in Golang Go and MinIO may affect IBM Spectrum Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634, CVE-2022-35919, CVE-2022-31028) Source: CCN Type: IBM Security Bulletin 6620897 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go Source: CCN Type: IBM Security Bulletin 6825557 (Event Streams) Multiple vulnerabilities in Golang Go affect IBM Event Streams Source: CCN Type: IBM Security Bulletin 6831591 (Robotic Process Automation) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak Source: CCN Type: IBM Security Bulletin 6956311 (Cloud Pak for Multicloud Management) Multiple Vulnerabilities in Multicloud Management Security Services Source: CCN Type: IBM Security Bulletin 6958068 (CICS TX Standard) Multiple vulnerabilities in Go may affect IBM CICS TX Standard Source: CCN Type: IBM Security Bulletin 6966998 (WebSphere Automation) Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation | ||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||