CVE-2023-39320
published 2023-09-08CVE-2023-39320: The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go"…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.42%
69.6th percentile
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| go_toolchain | cmd_go | >= 1.21.0-0 < 1.21.1 | 1.21.1 |
| golang | go | >= 1.21.0 < 1.21.1 | 1.21.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The go.mod `toolchain` directive can be abused to execute scripts and binaries relative to the module root when the `go` command is run inside the module — monitor for unexpected process spawning from `go` command invocations, especially child processes launched from module root directories. ↗
- →Attack surface includes modules fetched via the Go module proxy as well as those cloned directly via VCS (e.g., git) — audit both download paths for unexpected or tampered go.mod toolchain directives. ↗
- ·Red Hat marks all listed Go/golang packages as 'Not affected', meaning the vulnerability was not present or not exploitable in their shipped versions of Go 1.21 toolchain packages. ↗
- ·The vulnerability is specific to Go 1.21+ where the `toolchain` directive in go.mod was introduced; environments running Go versions prior to 1.21 are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: cmd/go: go.mod toolchain directive allows arbitrary execution
vendor_redhat·2023-09-06·CVSS 9.8
CVE-2023-39320 [CRITICAL] CWE-94 golang: cmd/go: go.mod toolchain directive allows arbitrary execution
golang: cmd/go: go.mod toolchain directive allows arbitrary execution
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
A flaw was found in Golang. The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy and downloaded directly using VCS software.
Package: openshift-golang-builder-container (Op
OSV
CVE-2023-39320: The go
osv·2023-09-08·CVSS 9.8
CVE-2023-39320 [CRITICAL] CVE-2023-39320: The go
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
GHSA
GHSA-rxv8-v965-v333: The go
ghsa_unreviewed·2023-09-08
CVE-2023-39320 [CRITICAL] CWE-94 GHSA-rxv8-v965-v333: The go
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
OSV
Arbitrary code execution via go.mod toolchain directive in cmd/go
osv·2023-09-07
CVE-2023-39320 Arbitrary code execution via go.mod toolchain directive in cmd/go
Arbitrary code execution via go.mod toolchain directive in cmd/go
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://go.dev/cl/526158https://go.dev/issue/62198https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJhttps://pkg.go.dev/vuln/GO-2023-2042https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0004/https://go.dev/cl/526158https://go.dev/issue/62198https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJhttps://pkg.go.dev/vuln/GO-2023-2042https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0004/
2023-09-08
Published