CVE-2023-29402Code Injection in Toolchain CMD GO

CWE-94Code Injection11 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 68.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Toolchain CMD GOGolang GOFedoraproject Fedora
Timeline
PublishedJun 8
Latest updateNov 14

Description

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDgolang/go1.20.01.20.5+1
CVEListV5go_toolchain/cmd_go1.20.0-01.20.5+1

Also affects: Fedora 38

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

5
OSV
golang-1.17 vulnerabilities2024-10-10
CVEList
Code injection via go command with cgo in cmd/go2023-06-08
GHSA
GHSA-f2cj-5636-4j38: The go command may generate unexpected code at build time when using cgo2023-06-08
OSV
Code injection via go command with cgo in cmd/go2023-06-08
OSV
CVE-2023-29402: The go command may generate unexpected code at build time when using cgo2023-06-08

📋Vendor Advisories

5
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Microsoft
Code injection via go command with cgo in cmd/go2023-06-13
Red Hat
golang: cmd/go: go command may generate unexpected code at build time when using cgo2023-06-08
Debian
CVE-2023-29402: golang-1.15 - The go command may generate unexpected code at build time when using cgo. This m...2023
CVE-2023-29402 — Code Injection in GO Toolchain CMD GO | cvebase