Lucene search

K
cvelistGoCVELIST:CVE-2020-28366
HistoryNov 18, 2020 - 12:00 a.m.

CVE-2020-28366 Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo

2020-11-1800:00:00
Go
www.cve.org
12
cve-2020-28366
arbitrary code execution
go command
cgo
code injection
build time
linked object file

AI Score

8.1

Confidence

High

EPSS

0.01

Percentile

84.5%

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

CNA Affected

[
  {
    "vendor": "Go toolchain",
    "product": "cmd/go",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "cmd/go",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.14.12",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.15.0-0",
        "lessThan": "1.15.5",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "Builder.cgo"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Go toolchain",
    "product": "cmd/cgo",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "cmd/cgo",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.14.12",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.15.0-0",
        "lessThan": "1.15.5",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "dynimport"
      }
    ],
    "defaultStatus": "unaffected"
  }
]