CVE-2023-29404Code Injection in Toolchain CMD GO

CWE-94Code Injection10 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 75.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Toolchain CMD GOGolang GOFedoraproject Fedora
Timeline
PublishedJun 8
Latest updateNov 14

Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compil

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDgolang/go1.20.01.20.5+1
CVEListV5go_toolchain/cmd_go1.20.0-01.20.5+1

Also affects: Fedora 38

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

4
OSV
CVE-2023-29404: The go command may execute arbitrary code at build time when using cgo2023-06-08
OSV
Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go2023-06-08
CVEList
Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go2023-06-08
GHSA
GHSA-888h-rm2r-vrc7: The go command may execute arbitrary code at build time when using cgo2023-06-08

📋Vendor Advisories

5
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Microsoft
Improper handling of non-optional LDFLAGS in go command with cgo in cmd/go2023-06-13
Red Hat
golang: cmd/go: go command may execute arbitrary code at build time when using cgo2023-06-08
Debian
CVE-2023-29404: golang-1.15 - The go command may execute arbitrary code at build time when using cgo. This may...2023
CVE-2023-29404 — Code Injection in GO Toolchain CMD GO | cvebase