CVE-2022-29583 – github.com/kardianos/service

Package

Manager: go
Name: github.com/kardianos/service
Vulnerable Version: <0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: N/A

EPSS: 0.00063 pctl0.19949

Details

Disputed: OS Command injection in github.com/kardianos/service service_windows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory. The validity of this vulnerability has been [questioned](https://github.com/kardianos/service/pull/290#issuecomment-1109831505) and the reporter has requested that the CVE be [disputed](https://github.com/kardianos/service/issues/289#issuecomment-1110546798).

Metadata

Created: 2022-04-23T00:03:03Z
Modified: 2023-05-24T17:39:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-xm99-6pv5-q363/GHSA-xm99-6pv5-q363.json
CWE IDs: ["CWE-426", "CWE-78"]
Alternative ID: GHSA-xm99-6pv5-q363
Finding: N/A
Auto approve: 0