Vulnerabilites related to Go toolchain - cmd/cgo
cve-2023-29405
Vulnerability from cvelistv5
Published
2023-06-08 20:19
Modified
2025-01-06 19:44
Severity ?
EPSS score ?
Summary
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-12-06T13:09:26.090Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/60306", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/501224", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-1842", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-09", }, { url: "https://security.netapp.com/advisory/ntap-20241206-0003/", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-29405", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-06T19:44:14.217992Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-06T19:44:24.568Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.19.10", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.20.5", status: "affected", version: "1.20.0-0", versionType: "semver", }, ], }, { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/cgo", product: "cmd/cgo", vendor: "Go toolchain", versions: [ { lessThan: "1.19.10", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.20.5", status: "affected", version: "1.20.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Nurminen of Mattermost", }, ], descriptions: [ { lang: "en", value: "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-04T18:09:23.809Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/60306", }, { url: "https://go.dev/cl/501224", }, { url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { url: "https://pkg.go.dev/vuln/GO-2023-1842", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-29405", datePublished: "2023-06-08T20:19:19.267Z", dateReserved: "2023-04-05T19:36:35.043Z", dateUpdated: "2025-01-06T19:44:24.568Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-28366
Vulnerability from cvelistv5
Published
2020-11-18 00:00
Modified
2024-08-04 16:33
Severity ?
EPSS score ?
Summary
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.15.0-0 ≤ |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:33:58.955Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/cl/269658", }, { tags: [ "x_transferred", ], url: "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292", }, { tags: [ "x_transferred", ], url: "https://go.dev/issue/42559", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2022-0475", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", programRoutines: [ { name: "Builder.cgo", }, ], vendor: "Go toolchain", versions: [ { lessThan: "1.14.12", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.15.5", status: "affected", version: "1.15.0-0", versionType: "semver", }, ], }, { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/cgo", product: "cmd/cgo", programRoutines: [ { name: "dynimport", }, ], vendor: "Go toolchain", versions: [ { lessThan: "1.14.12", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.15.5", status: "affected", version: "1.15.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Chris Brown (Tempus Ex)", }, ], descriptions: [ { lang: "en", value: "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-12T19:04:21.017Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/269658", }, { url: "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292", }, { url: "https://go.dev/issue/42559", }, { url: "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", }, { url: "https://pkg.go.dev/vuln/GO-2022-0475", }, ], title: "Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2020-28366", datePublished: "2020-11-18T00:00:00", dateReserved: "2020-11-09T00:00:00", dateUpdated: "2024-08-04T16:33:58.955Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }