CVE-2020-28366 — Code Injection in Toolchain CMD CGO

CWE-94 — Code Injection CWE-20 — Improper Input Validation8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 62.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Toolchain CMD CGO GO Toolchain CMD GO Golang GO +1 more

Timeline

PublishedNov 18

Latest updateJul 28

Description

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

▶NVDgolang/go1.15 — 1.15.5+1

▶CVEListV5go_toolchain/cmd_go1.15.0-0 — 1.15.5+1

▶CVEListV5go_toolchain/cmd_cgo1.15.0-0 — 1.15.5+1

Also affects: Fedora 32, 33

🔴Vulnerability Details

OSV

Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo↗2022-07-28

▶

GHSA

GHSA-mwfg-6wv9-379f: Go before 1↗2022-05-24

▶

OSV

CVE-2020-28366: Code injection in the go command with cgo before Go 1↗2020-11-18

▶

CVEList

Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo↗2020-11-18

▶

📋Vendor Advisories

Red Hat

golang: malicious symbol names can lead to code execution at build time↗2020-11-12

▶

Microsoft

Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo↗2020-11-10

▶

Debian

CVE-2020-28366: golang-1.15 - Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows...↗2020

▶