VDB

CISA-2022-41716

CISA-2022-41716 PUBLISHED CVSS 6.3 MEDIUM

Reported by Go · Published November 2, 2022

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Risk Scores

CVSS 3.1
6.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Affected Products

VendorProductVersions
Go standard librarysyscall0, 1.19.0-0
Go standard libraryos/exec0, 1.19.0-0
Go standard libraryos/exec0, 0, 1.19.0-0
Go standard librarysyscall0, 1.19.0-0, 1.19.0-0

Timeline

  • Nov 2, 2022 CVE Published
  • Oct 30, 2024 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›