cbcvebase.
CVE-2023-39320
published 2023-09-08

CVE-2023-39320: The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go"…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.42%
69.6th percentile
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Affected

2 ranges
VendorProductVersion rangeFixed in
go_toolchaincmd_go>= 1.21.0-0 < 1.21.11.21.1
golanggo>= 1.21.0 < 1.21.11.21.1

Detection & IOCsextracted from sources · hover to see the quote

  • The go.mod `toolchain` directive can be abused to execute scripts and binaries relative to the module root when the `go` command is run inside the module — monitor for unexpected process spawning from `go` command invocations, especially child processes launched from module root directories.
  • Attack surface includes modules fetched via the Go module proxy as well as those cloned directly via VCS (e.g., git) — audit both download paths for unexpected or tampered go.mod toolchain directives.
  • ·Red Hat marks all listed Go/golang packages as 'Not affected', meaning the vulnerability was not present or not exploitable in their shipped versions of Go 1.21 toolchain packages.
  • ·The vulnerability is specific to Go 1.21+ where the `toolchain` directive in go.mod was introduced; environments running Go versions prior to 1.21 are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.