Lucene search

Redhat.comRH:CVE-2020-28367

HistoryNov 13, 2020 - 6:14 p.m.

CVE-2020-28367

2020-11-1318:14:47

redhat.com

access.redhat.com

input validation

vulnerability

bypass

gcc

compiler

arbitrary code execution

system availability

confidentiality

integrity

mitigation

cgo_enabled

dependency

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.019

Percentile

88.7%

JSON

An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via go get or go build while building a Go project. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Mitigation

If it's possible to confirm that the go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either go get or go build.

For example:
CGO_ENABLED=0 go get github.com/someproject

This will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files. Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.