CVE-2023-39323
published 2023-10-05CVE-2023-39323: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during…
PriorityP354high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
1.76%
75.2th percentile
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aimeos | ai-admin-graphql | >= 2022.04.1 < 2022.10.10 | 2022.10.10 |
| aimeos | ai-admin-graphql | >= 2023.04.1 < 2023.10.6 | 2023.10.6 |
| aimeos | ai-admin-graphql | >= 2024.04.1 < 2024.04.6 | 2024.04.6 |
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| go_toolchain | cmd_go | < 1.20.9 | 1.20.9 |
| go_toolchain | cmd_go | >= 1.21.0-0 < 1.21.2 | 1.21.2 |
| golang | go | < 1.20.9 | 1.20.9 |
| golang | go | >= 1.21.0 < 1.21.2 | 1.21.2 |
| msrc | azl3_golang_1.20.10-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.20.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2024-24791 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-01-11·CVSS 6.1
CVE-2023-39326 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly us
Microsoft
Arbitrary code execution during build via line directives in cmd/go
vendor_msrc·2023-10-10·CVSS 8.1
CVE-2023-39323 [HIGH] Arbitrary code execution during build via line directives in cmd/go
Arbitrary code execution during build via line directives in cmd/go
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https:/
Red Hat
golang: cmd/go: line directives allows arbitrary execution during build
vendor_redhat·2023-10-05·CVSS 8.1
CVE-2023-39323 [HIGH] CWE-94 golang: cmd/go: line directives allows arbitrary execution during build
golang: cmd/go: line directives allows arbitrary execution during build
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
A flaw was found in the golang cmd/go standard library. A line directive ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to pass during compilation. This can result in the unexpected execution of arbitrary code when running "go build". The line directi
Debian
CVE-2023-39323: golang-1.15 - Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_"...
vendor_debian·2023·CVSS 8.1
CVE-2023-39323 [HIGH] CVE-2023-39323: golang-1.15 - Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_"...
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
Scope: local
bullseye: open
OSV
golang-1.17 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly use this issue to consume an excessive
amount of
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
GHSA
aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account
ghsa·2024-07-02
CVE-2024-39323 [HIGH] CWE-1220 aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account
aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.
OSV
Go vulnerabilities
osv·2024-01-11·CVSS 6.1
CVE-2023-39318 [MEDIUM] Go vulnerabilities
Go vulnerabilities
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting into a denial of se
GHSA
GHSA-679v-hh23-h5jh: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed d
ghsa_unreviewed·2023-10-05
CVE-2023-39323 [CRITICAL] GHSA-679v-hh23-h5jh: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed d
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
OSV
Arbitrary code execution during build via line directives in cmd/go
osv·2023-10-05
CVE-2023-39323 Arbitrary code execution during build via line directives in cmd/go
Arbitrary code execution during build via line directives in cmd/go
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
OSV
CVE-2023-39323: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed d
osv·2023-10-05·CVSS 8.1
CVE-2023-39323 [HIGH] CVE-2023-39323: Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed d
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://go.dev/cl/533215https://go.dev/issue/63211https://groups.google.com/g/golang-announce/c/XBa1oHDevAohttps://lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/https://lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/https://lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/https://pkg.go.dev/vuln/GO-2023-2095https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0001/https://go.dev/cl/533215https://go.dev/issue/63211https://groups.google.com/g/golang-announce/c/XBa1oHDevAohttps://lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/https://lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/https://lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/https://pkg.go.dev/vuln/GO-2023-2095https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0001/
2023-10-05
Published