cbcvebase.
CVE-2020-28366
published 2020-11-18

CVE-2020-28366: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in…

PriorityP344high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
2.24%
80.7th percentile
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Affected

17 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.15 1.15.5-1 (bullseye)golang-1.15 1.15.5-1 (bullseye)
fedoraprojectfedora
fedoraprojectfedora
go_toolchaincmd_cgo< 1.14.121.14.12
go_toolchaincmd_cgo>= 1.15.0-0 < 1.15.51.15.5
go_toolchaincmd_go< 1.14.121.14.12
go_toolchaincmd_go>= 1.15.0-0 < 1.15.51.15.5
golanggo< 1.14.121.14.12
golanggo>= 1.15 < 1.15.51.15.5
msrcazl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0
msrcazl3_python-tensorboard_2.16.2-1_on_azure_linux_3.0
msrccbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0
msrccm1_golang_1.15.13-1_on_cbl_mariner_1.0
msrcgolang-1.15.13-1.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm
msrcgolang-1.15.13-1.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64
msrcpython3-tensorboard-2.16.2-2.azl3.x86_64.rpm_on_azure_linux_3.0_x64
msrcpython3-tensorboard-data-server-2.16.2-2.azl3.x86_64.rpm_on_azure_linux_3.0_x64

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.