CVE-2023-39323Code Injection in Toolchain CMD GO

CWE-94Code InjectionCWE-1220Insufficient Granularity of Access ControlCWE-863Incorrect Authorization13 documents9 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 81.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Toolchain CMD GOGolang GOFedoraproject Fedora
Timeline
PublishedOct 5
Latest updateNov 14

Description

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

NVDgolang/go1.21.01.21.2+1
CVEListV5go_toolchain/cmd_go1.21.0-01.21.2+1

Also affects: Fedora 37, 38, 39

Patches

Patch: go.devPatch: go.devPatch: go.dev

🔴Vulnerability Details

6
GHSA
aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account2024-07-02
OSV
Go vulnerabilities2024-01-11
GHSA
GHSA-679v-hh23-h5jh: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed d2023-10-05
OSV
Arbitrary code execution during build via line directives in cmd/go2023-10-05
CVEList
Arbitrary code execution during build via line directives in cmd/go2023-10-05

📋Vendor Advisories

6
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-01-11
Microsoft
Arbitrary code execution during build via line directives in cmd/go2023-10-10
Red Hat
golang: cmd/go: line directives allows arbitrary execution during build2023-10-05
CVE-2023-39323 — Code Injection in GO Toolchain CMD GO | cvebase