CVE-2021-3115Uncontrolled Search Path Element in GO

CWE-427Uncontrolled Search Path ElementCWE-77Command InjectionCWE-94Code InjectionCWE-628Function Call with Incorrectly Specified Arguments9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 67.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Golang GOFedoraproject Fedora
Timeline
PublishedJan 26
Latest updateMay 24

Description

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

NVDgolang/go1.151.15.7+1

Also affects: Fedora 33

🔴Vulnerability Details

4
GHSA
GHSA-79cw-x93g-q95p: Go before 12022-05-24
OSV
Arbitrary code injection via the go command with cgo on Windows in cmd/go2021-04-14
CVEList
CVE-2021-3115: Go before 12021-01-26
OSV
CVE-2021-3115: Go before 12021-01-26

📋Vendor Advisories

3
Red Hat
golang: cmd/go: packages using cgo can cause arbitrary code execution at build time2021-01-20
Microsoft
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example cg2021-01-12
Debian
CVE-2021-3115: golang-1.15 - Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command I...2021
CVE-2021-3115 — Uncontrolled Search Path Element | cvebase