CVE-2022-30580: 
NixOS vulnerability analysis and mitigation

CVE-2022-30580 is a code injection vulnerability discovered in the os/exec package of Go programming language, affecting versions before Go 1.17.11 and Go 1.18.3. The vulnerability allows for the execution of arbitrary binaries named either '..com' or '..exe' in the working directory when Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput methods are called with an unset Cmd.Path (Go Issue, NVD).

The vulnerability is classified as a code injection flaw (CWE-94) with a CVSS v3.1 base score of 7.8 (HIGH). The vulnerability specifically affects Windows systems and occurs when the Cmd.Path parameter is unset while executing various Cmd methods. The security issue allows for potential execution of binaries with specific naming patterns ('..com' or '..exe') located in the working directory (NVD, Go Advisory).

When exploited, this vulnerability could lead to unauthorized code execution on affected Windows systems. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability when successfully exploited (NVD).

The vulnerability has been patched in Go versions 1.17.11 and 1.18.3. Users are advised to upgrade to these or later versions to mitigate the risk. The fix ensures that the system returns a clear error message when Cmd.Path is unset (Go Announce).

The vulnerability was reported by multiple security researchers including Chris Darroch, brian m. carlson, and Mikhail Shcherbakov. The Go team promptly addressed the issue by releasing security patches and making a public announcement through their mailing list (Go Advisory).