Unsanitized NUL in environment variables on Windows in syscall and os/exec
CVE-2022-41716

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Syscall; Os/exec
Vendor: CVE Published:; 2 November 2022

What is CVE-2022-41716?

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Affected Version(s)

os/exec windows 0 < 1.18.8

os/exec windows 1.19.0-0 < 1.19.3

syscall windows 0 < 1.18.8

References

https://go.dev/issue/56284

https://go.dev/cl/446916

https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 2, 2022
Vulnerability Reserved
Sep 28, 2022

Credit

RyotaK (https://twitter.com/ryotkak)

Go Standard Library

What is CVE-2022-41716?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit