Lucene search
GoVULNRICHMENT:CVE-2022-41716HistoryNov 02, 2022 - 3:28 p.m.
CVE-2022-41716 Unsanitized NUL in environment variables on Windows in syscall and os/exec
2022-11-0215:28:19
Go
github.com
6
cve-2022-41716
unsanitized nul
windows
syscall
os/exec
environment variables
malicious
startprocess
cmd
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string โA=B\x00C=Dโ sets the variables โA=Bโ and โC=Dโ.
CNA Affected
[
{
"vendor": "Go standard library",
"product": "syscall",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "1.18.8",
"versionType": "semver"
},
{
"status": "affected",
"version": "1.19.0-0",
"lessThan": "1.19.3",
"versionType": "semver"
}
],
"platforms": [
"windows"
],
"packageName": "syscall",
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"programRoutines": [
{
"name": "StartProcess"
}
]
},
{
"vendor": "Go standard library",
"product": "os/exec",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "1.18.8",
"versionType": "semver"
},
{
"status": "affected",
"version": "1.19.0-0",
"lessThan": "1.19.3",
"versionType": "semver"
}
],
"platforms": [
"windows"
],
"packageName": "os/exec",
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"programRoutines": [
{
"name": "Cmd.environ"
},
{
"name": "dedupEnv"
},
{
"name": "dedupEnvCase"
},
{
"name": "Cmd.CombinedOutput"
},
{
"name": "Cmd.Environ"
},
{
"name": "Cmd.Output"
},
{
"name": "Cmd.Run"
},
{
"name": "Cmd.Start"
}
]
}
]Related
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:4055-1)
2022-11-18 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:4054-1)
2022-11-18 00:00:00
Mageia: Security Advisory (MGASA-2022-0444)
2022-11-28 00:00:00
mageia
mageia
Updated golang packages fix security vulnerability
2022-11-27 23:51:49
nessus
nessus
Photon OS 3.0: Go PHSA-2022-3.0-0487
2024-07-24 00:00:00
FreeBSD : go -- syscall, os/exec: unsanitized NUL in environment variables (26b1100a-5a27-11ed-abfe-29ac76ec31b5)
2022-11-02 00:00:00
SUSE SLED15 / SLES15 Security Update : go1.19 (SUSE-SU-2022:4054-1)
2022-11-19 00:00:00
ibm
ibm
osv
osv
CGA-62f4-2wff-q4x6
2024-06-06 12:24:22
CVE-2022-41716
2022-11-02 16:15:11
Unsanitized NUL in environment variables on Windows in syscall and os/exec
2022-11-01 23:55:57
nvd
nvd
CVE-2022-41716
2022-11-02 16:15:11
alpinelinux
alpinelinux
CVE-2022-41716
2022-11-02 16:15:11
freebsd
freebsd
go -- syscall, os/exec: unsanitized NUL in environment variables
2022-10-17 00:00:00
prion
prion
Code injection
2022-11-02 16:15:00
veracode
veracode
Privilege Escalation
2022-11-03 01:43:24
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.19.3-alt1
2022-11-03 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2022-0282
2022-11-15 00:00:00
Important Photon OS Security Update - PHSA-2022-4.0-0282
2022-11-15 00:00:00
Important Photon OS Security Update - PHSA-2022-0541
2022-11-15 00:00:00
debiancve
debiancve
CVE-2022-41716
2022-11-02 16:15:11
cvelist
cvelist
ubuntucve
ubuntucve
CVE-2022-41716
2022-11-02 00:00:00
cve
cve
CVE-2022-41716
2022-11-02 16:15:11
oraclelinux
oraclelinux
ol8addon security update
2023-03-07 00:00:00
ol8addon security update
2022-11-23 00:00:00
AI Score
6.5
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Related for VULNRICHMENT:CVE-2022-41716