Code injection via go command with cgo in cmd/go
CVE-2023-29402

9.8CRITICAL

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 8 June 2023

What is CVE-2023-29402?

The Go command may generate unexpected code during the build process when utilizing cgo, particularly when handling untrusted modules with directory names that include newline characters. This can lead to erratic behavior when executing Go programs that rely on the cgo feature. Notably, modules retrieved through the go command, such as via 'go get', are not susceptible; however, those accessed using GOPATH mode (GO111MODULE=off) may face this issue. Developers should be cautious when working with untrusted modules to mitigate potential risks.

Affected Version(s)

cmd/go 0 < 1.19.10

cmd/go 1.20.0-0 < 1.20.5

References

https://go.dev/issue/60167

https://go.dev/cl/501226

https://groups.google.com/g/golang-announce/c/q5135a9d924...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 8, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Juho Nurminen of Mattermost

Go Toolchain

What is CVE-2023-29402?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit