CVE-2023-29405Injection in Toolchain CMD CGO

CWE-74InjectionCWE-88Argument Injection10 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 44.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
GO Toolchain CMD CGOGO Toolchain CMD GOGolang GO+1 more
Timeline
PublishedJun 8
Latest updateNov 14

Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDgolang/go1.20.01.20.5+1
CVEListV5go_toolchain/cmd_go1.20.0-01.20.5+1
CVEListV5go_toolchain/cmd_cgo1.20.0-01.20.5+1

Also affects: Fedora 38

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

4
CVEList
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go2023-06-08
OSV
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go2023-06-08
GHSA
GHSA-68g3-2p3g-w9pq: The go command may execute arbitrary code at build time when using cgo2023-06-08
OSV
CVE-2023-29405: The go command may execute arbitrary code at build time when using cgo2023-06-08

📋Vendor Advisories

5
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Microsoft
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go2023-06-13
Red Hat
golang: cmd/cgo: Arbitrary code execution triggered by linker flags2023-06-08
Debian
CVE-2023-29405: golang-1.15 - The go command may execute arbitrary code at build time when using cgo. This may...2023
CVE-2023-29405 — Injection in GO Toolchain CMD CGO | cvebase