Command Injection Vulnerability in Go on Windows Platforms
CVE-2021-3115

7.5HIGH

Key Information:

Vendor

Golang

Status
Go
Vendor
CVE Published:
26 January 2021

What is CVE-2021-3115?

A vulnerability exists in Go versions prior to 1.14.14 and in 1.15.x versions before 1.15.7 on Windows. This flaw arises when the 'go get' command is utilized for fetching modules that leverage cgo. It potentially allows command injection and remote code execution, as cgo can execute GCC or other commands from untrusted downloads. This puts developers and applications at risk if malicious modules are fetched inadvertently.

References

https://groups.google.com/g/golang-announce/c/mperVMGa98w
x_refsource_CONFIRM
https://blog.golang.org/path-security
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-3115 : Command Injection Vulnerability in Go on Windows Platforms