Lucene search

K
cvelistGoCVELIST:CVE-2023-29402
HistoryJun 08, 2023 - 8:19 p.m.

CVE-2023-29402 Code injection via go command with cgo in cmd/go

2023-06-0820:19:04
Go
www.cve.org

9.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.1%

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via โ€œgo getโ€, are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

CNA Affected

[
  {
    "vendor": "Go toolchain",
    "product": "cmd/go",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "cmd/go",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.19.10",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.20.0-0",
        "lessThan": "1.20.5",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]