CVE-2020-28367 — Code Injection in Toolchain CMD GO

CWE-94 — Code Injection CWE-20 — Improper Input Validation CWE-88 — Argument Injection8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 49.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Toolchain CMD GO Golang GO

Timeline

PublishedNov 18

Latest updateJul 28

Description

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDgolang/go1.15 — 1.15.5+1

▶CVEListV5go_toolchain/cmd_go1.15.0-0 — 1.15.5+1

🔴Vulnerability Details

OSV

Arbitrary code execution via the go command with cgo in cmd/go↗2022-07-28

▶

GHSA

GHSA-827f-m9xx-4cfw: Go before 1↗2022-05-24

▶

CVEList

Arbitrary code execution via the go command with cgo in cmd/go↗2020-11-18

▶

OSV

CVE-2020-28367: Code injection in the go command with cgo before Go 1↗2020-11-18

▶

📋Vendor Advisories

Red Hat

golang: improper validation of cgo flags can lead to code execution at build time↗2020-11-12

▶

Microsoft

Arbitrary code execution via the go command with cgo in cmd/go↗2020-11-10

▶

Debian

CVE-2020-28367: golang-1.15 - Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows...↗2020

▶