Lucene search

K
cvelistGoCVELIST:CVE-2023-39323
HistoryOct 05, 2023 - 8:36 p.m.

CVE-2023-39323 Arbitrary code execution during build via line directives in cmd/go

2023-10-0520:36:58
Go
www.cve.org
9
cve-2023-39323
arbitrary code execution
line directives
go build
cgo directives

AI Score

8.4

Confidence

High

EPSS

0.004

Percentile

73.3%

Line directives (“//line”) can be used to bypass the restrictions on “//go:cgo_” directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running “go build”. The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

CNA Affected

[
  {
    "vendor": "Go toolchain",
    "product": "cmd/go",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "cmd/go",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.20.9",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.21.0-0",
        "lessThan": "1.21.2",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]