Output of 'go env' Can Lead to Security Risks
CVE-2023-24531

9.8CRITICAL

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 2 July 2024

What is CVE-2023-24531?

The Go environment command 'go env' produces a shell script reflecting the Go environment without adequate sanitization of its values. As a result, executing this script can lead to potential risks such as arbitrary command execution or unwanted insertion of new environment variables. While this flaw introduces a certain level of risk, it may often be overshadowed by the broader implications that arise when attackers can manipulate environment variables directly.

Affected Version(s)

cmd/go 0 < 1.21.0-0

References

https://go.dev/cl/488375

https://go.dev/cl/493535

https://go.dev/issue/58508

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 2, 2024
Vulnerability Reserved
Jan 25, 2023

Credit

Hunter Wittenborn (https://hunterwittenborn.com/)

Go Toolchain

What is CVE-2023-24531?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit