Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo
CVE-2020-28366

7.5HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go; Cmd/cgo
Vendor: CVE Published:; 18 November 2020

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2020-28366?

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Affected Version(s)

cmd/cgo 0 < 1.14.12

cmd/cgo 1.15.0-0 < 1.15.5

cmd/go 0 < 1.14.12

References

https://go.dev/cl/269658

https://go.googlesource.com/go/+/062e0e5ce6df339dc2673243...

https://go.dev/issue/42559

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2020
Vulnerability Reserved
Nov 9, 2020

Credit

Chris Brown (Tempus Ex)