9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
48.6%
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to
execute scripts and binaries relative to the root of the module when the
“go” command was executed within the module. This applies to modules
downloaded using the “go” command from the module proxy, as well as modules
downloaded directly using VCS software.
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. |
sbeattie | affects golang-1.21 only |
github.com/golang/go/commit/d25a935574efd573668d8ce9ea4cfc530bb63ecb (go1.21.1)
go.dev/cl/526158
go.dev/issue/62198
groups.google.com/g/golang-announce/c/Fm51GRLNRvM
groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
launchpad.net/bugs/cve/CVE-2023-39320
nvd.nist.gov/vuln/detail/CVE-2023-39320
pkg.go.dev/vuln/GO-2023-2042
security-tracker.debian.org/tracker/CVE-2023-39320
www.cve.org/CVERecord?id=CVE-2023-39320