QID 354901

code injection in cmd.
Start in os/exec before go 1.17.11 and go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling cmd.
Run, cmd.
Start, cmd.
Output, or cmd.
Combinedoutput when cmd.
Path is unset. (
( CVE-2022-30580) infinite loop in read in crypto/rand before go 1.17.11 and go 1.18.3 on windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. (
( CVE-2022-30634) an uncontrolled resource consumption flaw was found in golang math/big.
A too-short encoded message can cause a panic in float.
Gobdecode and rat.
Gobdecode in math/big in go, potentially allowing an attacker to create a denial of service, impacting availability. (
( CVE-2022-32189) an attacker can cause excessive memory growth in a go server accepting http/2 requests.
Http/2 server connections contain a cache of http header keys sent by the client.
While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 mib per open connection. (
( CVE-2022-41717) the go project has described this issue as follows: "on windows, the filepath.
Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b.
This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.
The filepath.
Clean function will now transform this path into the relative (but still invalid) path .\c:\b." (
This does not impact usages of crypto/ecdsa or crypto/ecdh. (
This stems from several causes: 1.
Mime/multipart.
Reader.
2.
3.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.