Lucene search

K
cvelistGoCVELIST:CVE-2023-29402
HistoryJun 08, 2023 - 8:19 p.m.

CVE-2023-29402 Code injection via go command with cgo in cmd/go

2023-06-0820:19:04
Go
www.cve.org
cve-2023-29402
code injection
go command
cgo
unexpected code
build time
untrusted module
newline characters
go111module=off

9.8 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.9%

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via โ€œgo getโ€, are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

CNA Affected

[
  {
    "vendor": "Go toolchain",
    "product": "cmd/go",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "cmd/go",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.19.10",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.20.0-0",
        "lessThan": "1.20.5",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]