Lucene search
GoCVELIST:CVE-2023-24531HistoryJul 02, 2024 - 7:51 p.m.
CVE-2023-24531 Output of "go env" does not sanitize values in cmd/go
2024-07-0219:51:48
Go
www.cve.org
2
cve-2023-24531
go env
shell script
environment variables
EPSS
0
Percentile
15.8%
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn’t sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making “go env” print them out.
CNA Affected
[
{
"vendor": "Go toolchain",
"product": "cmd/go",
"collectionURL": "https://pkg.go.dev",
"packageName": "cmd/go",
"versions": [
{
"version": "0",
"lessThan": "1.21.0-0",
"status": "affected",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
]Related
osv
osv
Output of "go env" does not sanitize values in cmd/go
2024-07-02 19:27:52
CVE-2023-24531
2024-07-02 20:15:00
BIT-golang-2023-24531
2024-07-04 07:29:14
vulnrichment
vulnrichment
CVE-2023-24531 Output of "go env" does not sanitize values in cmd/go
2024-07-02 19:51:48
veracode
veracode
Arbitrary Code Execution
2024-08-05 15:13:21
nvd
nvd
CVE-2023-24531
2024-07-02 20:15:05
nessus
nessus
Photon OS 3.0: Go PHSA-2024-3.0-0785
2024-08-30 00:00:00
debiancve
debiancve
CVE-2023-24531
2024-07-02 20:15:05
cve
cve
CVE-2023-24531
2024-07-02 20:15:05
cbl_mariner
cbl_mariner
CVE-2023-24531 affecting package golang for versions less than 1.21.0-1
2024-09-18 21:14:13
CVE-2023-24531 affecting package msft-golang for versions less than 1.21.0-1
2024-09-18 21:14:20
CVE-2023-24531 affecting package golang for versions less than 1.21.0-1
2024-09-18 21:14:20
ubuntucve
ubuntucve
CVE-2023-24531
2024-07-02 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2024-3.0-0785
2024-08-26 00:00:00