Vulnerability Name: | CVE-2022-41716 (CCN-240206) | ||||||||||||
Assigned: | 2022-10-18 | ||||||||||||
Published: | 2022-10-18 | ||||||||||||
Updated: | 2023-06-27 | ||||||||||||
Summary: | Golang Go could allow a remote attacker to bypass security restrictions, caused by improper checking for invalid environment variable values in syscall.StartProcess and os/exec.Cmd. By using a specially-crafted environment variable value, an attacker could exploit this vulnerability to set a value for a different environment variable. | ||||||||||||
CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
| ||||||||||||
Vulnerability Consequences: | Bypass Security | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2022-41716 Source: XF Type: UNKNOWN golang-cve202241716-sec-bypass(240206) Source: CCN Type: Go GIT Repository syscall, os/exec: unsanitized NUL in environment variables #56284 Source: security@golang.org Type: Patch, Vendor Advisory security@golang.org Source: security@golang.org Type: Issue Tracking, Patch, Vendor Advisory security@golang.org Source: security@golang.org Type: Patch, Release Notes, Vendor Advisory security@golang.org Source: CCN Type: Go Web site Vulnerability Report: GO-2022-1095 Source: security@golang.org Type: Vendor Advisory security@golang.org Source: CCN Type: IBM Security Bulletin 6854985 (Spectrum Copy Data Management) Vulnerabilities in Linux Kernel and Golang Go might affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6955849 (Decision Optimization for Cloud Pak for Data) Multiple vulnerabilities in Golang Go affect IBM Decision Optimization in IBM Cloud Pak for Data Source: CCN Type: IBM Security Bulletin 6958062 (Cloud Pak for Business Automation) Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 Source: CCN Type: IBM Security Bulletin 6958146 (Cloud Pak for Watson AIOps) Multiple Vulnerabilities in CloudPak for Watson AIOPs Source: CCN Type: IBM Security Bulletin 6963940 (CICS TX Advanced) CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced Source: CCN Type: IBM Security Bulletin 6963942 (CICS TX Standard) CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard Source: CCN Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent) Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift Source: CCN Type: IBM Security Bulletin 6965816 (Spectrum Protect Plus) Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6967671 (Watson Speech Services Cartridge for Cloud Pak for Data) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in Golang Go (CVE-2022-41716) Source: CCN Type: IBM Security Bulletin 6983270 (Robotic Process Automation) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. Source: CCN Type: IBM Security Bulletin 6984199 (Db2 Rest) Multiple vulnerabilities affect IBM Db2 REST Source: CCN Type: IBM Security Bulletin 6986361 (Robotic Process Automation) Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. | ||||||||||||
Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
Oval Definitions | |||||||||||||
| |||||||||||||
BACK |