Описание
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
A flaw was found in the os/exec golang package. This issue occurs when invoking different Cmd methods and the Cmd.Path is unset. This could lead to a command injection, allowing an attacker to execute any binaries in the working directory.
Отчет
The CVE-2022-30580 affects windows only, where empty Cmd.Path can result in running unintended binary on Windows. Packages shipped with Red Hat Enterprise Linux - 8 and 9 are unaffected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-velero-plugin-rhel8 | Not affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Not affected | ||
| mirror registry for Red Hat OpenShift | mirror-registry-container | Not affected | ||
| Node HealthCheck Operator | workload-availability/node-healthcheck-rhel8-operator | Not affected | ||
| Node Maintenance Operator | workload-availability/node-maintenance-rhel8-operator | Not affected | ||
| OpenShift API for Data Protection | oadp/oadp-velero-rhel8 | Not affected | ||
| OpenShift Developer Tools and Services | helm | Not affected | ||
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 ...
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
EPSS
7.8 High
CVSS3