CVE-2023-29404

2023-06-0821:15:17

CWE-94

[email protected]

web.nvd.nist.gov

251

cve-2023-29404

go command

arbitrary code execution

build time

cgo

linker flags

ldflags directive

compiler vulnerability

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.4%

JSON

The go command may execute arbitrary code at build time when using cgo. This may occur when running “go get” on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a “#cgo LDFLAGS” directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

Affected configurations

NVD

Node

golanggoRange<1.19.10

golanggoRange1.20.0–1.20.5

Node

fedoraprojectfedoraMatch38

CPENameOperatorVersion
golang:gogolang golt1.19.10
golang:gogolang golt1.20.5

CPE	Name	Operator	Version
golang:go	golang go	lt	1.19.10
golang:go	golang go	lt	1.20.5

CNA Affected

[
  {
    "vendor": "Go toolchain",
    "product": "cmd/go",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "cmd/go",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.19.10",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.20.0-0",
        "lessThan": "1.20.5",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]