CVE-2023-24531Toolchain CMD GO vulnerability

10 documents7 sources
Severity
9.8CRITICALNVD
EPSS
0.5%
top 34.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Toolchain CMD GO
Timeline
PublishedJul 2
Latest updateNov 14

Description

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

CVEListV5go_toolchain/cmd_go< 1.21.0-0

🔴Vulnerability Details

5
OSV
golang-1.17 vulnerabilities2024-10-10
OSV
CVE-2023-24531: Command go env is documented as outputting a shell script containing the Go environment2024-07-02
CVEList
Output of "go env" does not sanitize values in cmd/go2024-07-02
OSV
Output of "go env" does not sanitize values in cmd/go2024-07-02
GHSA
GHSA-cwpg-qgc6-jxvq: Command go env is documented as outputting a shell script containing the Go environment2024-07-02

📋Vendor Advisories

4
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Microsoft
Output of "go env" does not sanitize values in cmd/go2024-07-09
Debian
CVE-2023-24531: golang-1.15 - Command go env is documented as outputting a shell script containing the Go envi...2023
CVE-2023-24531 — GO Toolchain CMD GO vulnerability | cvebase