Arbitrary code execution via the go command with cgo in cmd/go
CVE-2020-28367

7.5HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 18 November 2020

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2020-28367?

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

Affected Version(s)

cmd/go 0 < 1.14.12

cmd/go 1.15.0-0 < 1.15.5

References

https://go.dev/cl/267277

https://go.googlesource.com/go/+/da7aa86917811a571e6634b4...

https://go.dev/issue/42556

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 18, 2020
Vulnerability Reserved
Nov 9, 2020

Credit

Imre Rad