VDB
CISA-2022-41716
CISA-2022-41716
PUBLISHED
CVSS 6.3 MEDIUM
Reported by Go · Published November 2, 2022
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".
Risk Scores
CVSS 3.1
6.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Go standard library | syscall | 0, 1.19.0-0 |
| Go standard library | os/exec | 0, 1.19.0-0 |
| Go standard library | os/exec | 0, 0, 1.19.0-0 |
| Go standard library | syscall | 0, 1.19.0-0, 1.19.0-0 |
Timeline
- Nov 2, 2022 CVE Published
- Oct 30, 2024 CVE Updated