Vulnerabilites related to Go toolchain - cmd/go
cve-2023-24531
Vulnerability from cvelistv5
Published
2024-07-02 19:51
Modified
2025-03-28 15:02
Severity ?
EPSS score ?
Summary
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2025-03-28T15:02:59.076Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/cl/488375", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/493535", }, { tags: [ "x_transferred", ], url: "https://go.dev/issue/58508", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2024-2962", }, { url: "https://security.netapp.com/advisory/ntap-20250328-0005/", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:gotoolchain:cmd\\/go:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "cmd\\/go", vendor: "gotoolchain", versions: [ { lessThan: "1.21.0-0", status: "affected", version: "0", versionType: "semver", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-24531", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-21T13:30:10.564913Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-21T13:49:46.839Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.21.0-0", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Hunter Wittenborn (https://hunterwittenborn.com/)", }, ], descriptions: [ { lang: "en", value: "Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making \"go env\" print them out.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-138: Improper Neutralization of Special Elements", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-02T19:51:48.731Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/488375", }, { url: "https://go.dev/cl/493535", }, { url: "https://go.dev/issue/58508", }, { url: "https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ", }, { url: "https://pkg.go.dev/vuln/GO-2024-2962", }, ], title: "Output of \"go env\" does not sanitize values in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-24531", datePublished: "2024-07-02T19:51:48.731Z", dateReserved: "2023-01-25T21:19:20.641Z", dateUpdated: "2025-03-28T15:02:59.076Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-45285
Vulnerability from cvelistv5
Published
2023-12-06 16:27
Modified
2025-02-13 17:14
Severity ?
EPSS score ?
Summary
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.21.0-0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T20:21:15.349Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ", }, { tags: [ "x_transferred", ], url: "https://go.dev/issue/63845", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/540257", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-2383", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.20.12", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.21.5", status: "affected", version: "1.21.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "David Leadbeater", }, ], descriptions: [ { lang: "en", value: "Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).", }, ], problemTypes: [ { descriptions: [ { description: "CWE-636: Not Failing Securely ('Failing Open')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-20T04:06:28.460Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ", }, { url: "https://go.dev/issue/63845", }, { url: "https://go.dev/cl/540257", }, { url: "https://pkg.go.dev/vuln/GO-2023-2383", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/", }, ], title: "Command 'go get' may unexpectedly fallback to insecure git in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-45285", datePublished: "2023-12-06T16:27:55.521Z", dateReserved: "2023-10-06T17:06:26.220Z", dateUpdated: "2025-02-13T17:14:00.033Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-45340
Vulnerability from cvelistv5
Published
2025-01-28 01:03
Modified
2025-01-30 19:14
Severity ?
EPSS score ?
Summary
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 1.24.0-0 ≤ |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-45340", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-28T14:57:35.666224Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-28T15:16:48.229Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.24.0-rc.2", status: "affected", version: "1.24.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Forsén of Mattermost", }, ], descriptions: [ { lang: "en", value: "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-201: Insertion of Sensitive Information Into Sent Data", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-30T19:14:21.639Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/643097", }, { url: "https://go.dev/issue/71249", }, { url: "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ", }, { url: "https://pkg.go.dev/vuln/GO-2025-3383", }, ], title: "GOAUTH credential leak in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2024-45340", datePublished: "2025-01-28T01:03:24.605Z", dateReserved: "2024-08-27T19:41:58.556Z", dateUpdated: "2025-01-30T19:14:21.639Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-28366
Vulnerability from cvelistv5
Published
2020-11-18 00:00
Modified
2024-08-04 16:33
Severity ?
EPSS score ?
Summary
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.15.0-0 ≤ |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:33:58.955Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/cl/269658", }, { tags: [ "x_transferred", ], url: "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292", }, { tags: [ "x_transferred", ], url: "https://go.dev/issue/42559", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2022-0475", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", programRoutines: [ { name: "Builder.cgo", }, ], vendor: "Go toolchain", versions: [ { lessThan: "1.14.12", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.15.5", status: "affected", version: "1.15.0-0", versionType: "semver", }, ], }, { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/cgo", product: "cmd/cgo", programRoutines: [ { name: "dynimport", }, ], vendor: "Go toolchain", versions: [ { lessThan: "1.14.12", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.15.5", status: "affected", version: "1.15.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Chris Brown (Tempus Ex)", }, ], descriptions: [ { lang: "en", value: "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-12T19:04:21.017Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/269658", }, { url: "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292", }, { url: "https://go.dev/issue/42559", }, { url: "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", }, { url: "https://pkg.go.dev/vuln/GO-2022-0475", }, ], title: "Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2020-28366", datePublished: "2020-11-18T00:00:00", dateReserved: "2020-11-09T00:00:00", dateUpdated: "2024-08-04T16:33:58.955Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-29405
Vulnerability from cvelistv5
Published
2023-06-08 20:19
Modified
2025-01-06 19:44
Severity ?
EPSS score ?
Summary
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-12-06T13:09:26.090Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/60306", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/501224", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-1842", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-09", }, { url: "https://security.netapp.com/advisory/ntap-20241206-0003/", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-29405", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-06T19:44:14.217992Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-06T19:44:24.568Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.19.10", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.20.5", status: "affected", version: "1.20.0-0", versionType: "semver", }, ], }, { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/cgo", product: "cmd/cgo", vendor: "Go toolchain", versions: [ { lessThan: "1.19.10", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.20.5", status: "affected", version: "1.20.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Nurminen of Mattermost", }, ], descriptions: [ { lang: "en", value: "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-04T18:09:23.809Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/60306", }, { url: "https://go.dev/cl/501224", }, { url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { url: "https://pkg.go.dev/vuln/GO-2023-1842", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-29405", datePublished: "2023-06-08T20:19:19.267Z", dateReserved: "2023-04-05T19:36:35.043Z", dateUpdated: "2025-01-06T19:44:24.568Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-24787
Vulnerability from cvelistv5
Published
2024-05-08 15:31
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.22.0-0 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:golang:go:1.21.0:-:*:*:*:*:*:*", ], defaultStatus: "affected", product: "go", vendor: "golang", versions: [ { status: "affected", version: "1.21.0", }, { status: "affected", version: "1.22", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-24787", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-06-05T14:49:29.014816Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-05T14:54:50.242Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:12.679Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/67119", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/583815", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2024-2825", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240531-0006/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/05/08/3", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", platforms: [ "darwin", ], product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.21.10", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.22.3", status: "affected", version: "1.22.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Forsén (Mattermost)", }, ], descriptions: [ { lang: "en", value: "On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a \"#cgo LDFLAGS\" directive.", }, ], problemTypes: [ { descriptions: [ { description: "CWE 74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-10T16:10:10.782Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/67119", }, { url: "https://go.dev/cl/583815", }, { url: "https://groups.google.com/g/golang-announce/c/wkkO4P9stm0", }, { url: "https://pkg.go.dev/vuln/GO-2024-2825", }, { url: "https://security.netapp.com/advisory/ntap-20240531-0006/", }, { url: "http://www.openwall.com/lists/oss-security/2024/05/08/3", }, ], title: "Arbitrary code execution during build on Darwin in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2024-24787", datePublished: "2024-05-08T15:31:14.530Z", dateReserved: "2024-01-30T16:05:14.758Z", dateUpdated: "2025-02-13T17:40:26.439Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-22867
Vulnerability from cvelistv5
Published
2025-02-06 17:09
Modified
2025-02-06 21:23
Severity ?
EPSS score ?
Summary
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 1.24.0-rc.2 ≤ |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2025-22867", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-06T20:06:49.179700Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-06T21:23:25.105Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", platforms: [ "darwin", ], product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.24.0-rc.3", status: "affected", version: "1.24.0-rc.2", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Forsén of Mattermost", }, ], descriptions: [ { lang: "en", value: "On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a \"#cgo LDFLAGS\" directive. This issue only affected go1.24rc2.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-06T17:09:56.893Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/646996", }, { url: "https://go.dev/issue/71476", }, { url: "https://groups.google.com/g/golang-dev/c/TYzikTgHK6Y", }, { url: "https://pkg.go.dev/vuln/GO-2025-3428", }, ], title: "Arbitrary code execution during build on darwin in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2025-22867", datePublished: "2025-02-06T17:09:56.893Z", dateReserved: "2025-01-08T19:11:42.834Z", dateUpdated: "2025-02-06T21:23:25.105Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-29402
Vulnerability from cvelistv5
Published
2023-06-08 20:19
Modified
2025-02-13 16:49
Severity ?
EPSS score ?
Summary
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-12-13T13:09:24.218Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/60167", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/501226", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-1839", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-09", }, { url: "https://security.netapp.com/advisory/ntap-20241213-0004/", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-29402", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-06T21:13:13.159691Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-06T21:14:36.576Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.19.10", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.20.5", status: "affected", version: "1.20.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Nurminen of Mattermost", }, ], descriptions: [ { lang: "en", value: "The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).", }, ], problemTypes: [ { descriptions: [ { description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-25T11:09:38.111Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/60167", }, { url: "https://go.dev/cl/501226", }, { url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { url: "https://pkg.go.dev/vuln/GO-2023-1839", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "Code injection via go command with cgo in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-29402", datePublished: "2023-06-08T20:19:04.483Z", dateReserved: "2023-04-05T19:36:35.042Z", dateUpdated: "2025-02-13T16:49:13.450Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-39323
Vulnerability from cvelistv5
Published
2023-10-05 20:36
Modified
2025-02-13 17:02
Severity ?
EPSS score ?
Summary
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.21.0-0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:02:06.899Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/63211", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/533215", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-2095", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20231020-0001/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.20.9", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.21.2", status: "affected", version: "1.21.0-0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.", }, ], problemTypes: [ { descriptions: [ { description: "CWE 94: Improper Control of Generation of Code ('Code Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-25T11:09:58.922Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/63211", }, { url: "https://go.dev/cl/533215", }, { url: "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo", }, { url: "https://pkg.go.dev/vuln/GO-2023-2095", }, { url: "https://security.netapp.com/advisory/ntap-20231020-0001/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", }, { url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "Arbitrary code execution during build via line directives in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-39323", datePublished: "2023-10-05T20:36:58.756Z", dateReserved: "2023-07-27T17:05:55.188Z", dateUpdated: "2025-02-13T17:02:49.699Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-39320
Vulnerability from cvelistv5
Published
2023-09-08 16:13
Modified
2025-02-13 17:02
Severity ?
EPSS score ?
Summary
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 1.21.0-0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:02:06.849Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/62198", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/526158", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-2042", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20231020-0004/", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-39320", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-26T17:28:10.391044Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-26T17:28:41.807Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.21.1", status: "affected", version: "1.21.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Nurminen of Mattermost", }, ], descriptions: [ { lang: "en", value: "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-25T11:10:00.880Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/62198", }, { url: "https://go.dev/cl/526158", }, { url: "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", }, { url: "https://pkg.go.dev/vuln/GO-2023-2042", }, { url: "https://security.netapp.com/advisory/ntap-20231020-0004/", }, { url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "Arbitrary code execution via go.mod toolchain directive in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-39320", datePublished: "2023-09-08T16:13:26.609Z", dateReserved: "2023-07-27T17:05:55.186Z", dateUpdated: "2025-02-13T17:02:48.022Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-28367
Vulnerability from cvelistv5
Published
2020-11-18 00:00
Modified
2024-08-04 16:33
Severity ?
EPSS score ?
Summary
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.15.0-0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:33:59.087Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/cl/267277", }, { tags: [ "x_transferred", ], url: "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561", }, { tags: [ "x_transferred", ], url: "https://go.dev/issue/42556", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2022-0476", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", programRoutines: [ { name: "validCompilerFlags", }, ], vendor: "Go toolchain", versions: [ { lessThan: "1.14.12", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.15.5", status: "affected", version: "1.15.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Imre Rad", }, ], descriptions: [ { lang: "en", value: "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-94: Improper Control of Generation of Code ('Code Injection')", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-12T19:04:24.544Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/267277", }, { url: "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561", }, { url: "https://go.dev/issue/42556", }, { url: "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", }, { url: "https://pkg.go.dev/vuln/GO-2022-0476", }, { url: "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html", }, ], title: "Arbitrary code execution via the go command with cgo in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2020-28367", datePublished: "2020-11-18T00:00:00", dateReserved: "2020-11-09T00:00:00", dateUpdated: "2024-08-04T16:33:59.087Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-29404
Vulnerability from cvelistv5
Published
2023-06-08 20:19
Modified
2025-01-06 19:47
Severity ?
EPSS score ?
Summary
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go toolchain | cmd/go |
Version: 0 ≤ Version: 1.20.0-0 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-11-15T13:08:12.758Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/60305", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/501225", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2023-1841", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { tags: [ "x_transferred", ], url: "https://security.gentoo.org/glsa/202311-09", }, { url: "https://security.netapp.com/advisory/ntap-20241115-0009/", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-29404", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-06T19:47:37.186942Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-06T19:47:57.434Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "cmd/go", product: "cmd/go", vendor: "Go toolchain", versions: [ { lessThan: "1.19.10", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.20.5", status: "affected", version: "1.20.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Nurminen of Mattermost", }, ], descriptions: [ { lang: "en", value: "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-94: Improper Control of Generation of Code (\"Code Injection\")", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-04T18:09:18.646Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/60305", }, { url: "https://go.dev/cl/501225", }, { url: "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ", }, { url: "https://pkg.go.dev/vuln/GO-2023-1841", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/", }, { url: "https://security.gentoo.org/glsa/202311-09", }, ], title: "Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2023-29404", datePublished: "2023-06-08T20:19:17.548Z", dateReserved: "2023-04-05T19:36:35.043Z", dateUpdated: "2025-01-06T19:47:57.434Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }