CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
57.2%
github.com/golang/go is vulnerable to Arbitrary Code Execution. The vulnerability exists in the isCgoGeneratedFile
function at noder.go
due to line directives allowing blocked linker and compiler flags to be passed during compilation, which can result in arbitrary code execution when running go build
.
bugzilla.suse.com/show_bug.cgi?id=1215985
github.com/golang/go/commit/2ddfc04d12da7028334ab4f8effbc3a78b92d9d2
github.com/golang/go/commit/31d5b604ac0adb58aec4870ac1b974c08312fd49
github.com/golang/go/issues/63211
go.dev/cl/533215
go.dev/issue/63211
groups.google.com/g/golang-announce/c/XBa1oHDevAo
lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
pkg.go.dev/vuln/GO-2023-2095
security.gentoo.org/glsa/202311-09
security.netapp.com/advisory/ntap-20231020-0001/