CVE-2022-30580

Aliases:GO-2022-0532BIT-golang-2022-30580

Advisory lineage Upstream: 0 Downstream: 5

Downstream

OPENSUSE-SU-2024:12123-1 OPENSUSE-SU-2024:12124-1 SUSE-SU-2022:2004-1 SUSE-SU-2022:2005-1 SUSE-SU-2023:2312-1

Modified

Published: 09 Aug 2022, 20:18

Last modified:06 Mar 2026, 17:34

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v3.1 (nvd)

EPSS Score

0.07% LOW

0% probability +0.04%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

09 Aug 2022, 20:18

Published

Vulnerability first disclosed

06 Mar 2026, 17:34

Last Modified

Vulnerability information updated

Description

Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.

CVSS Metrics

v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.07%• Percentile: 21%

Techniques & Countermeasures

CWE-94•Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

go standard library•os/exec
< 1.17.11 | ≥ 1.18.0-0, < 1.18.3
golang•go
< 1.17.11 | ≥ 1.18.0, < 1.18.3
Go•stdlib
≥ 1.18.0-0, < 1.18.3