CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.1%
The go command may execute arbitrary code at build time when using cgo.
This may occur when running โgo getโ on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a โ#cgo LDFLAGSโ directive. The arguments for a
number of flags which are non-optional are incorrectly considered optional,
allowing disallowed flags to be smuggled through the LDFLAGS sanitization.
This affects usage of both the gc and gccgo compilers.
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | <ย any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.13 | <ย any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.14 | <ย any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.16 | <ย any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.16 | <ย any | UNKNOWN |
github.com/golang/go/commit/356a419e2f811b65d227abcea1a346f8dcb154e0 (go1.20.5)
github.com/golang/go/commit/bf3c8ce03e175e870763901a3850bca01381a828 (go1.19.10)
github.com/golang/go/issues/60305
groups.google.com/g/golang-announce/c/q5135a9d924
launchpad.net/bugs/cve/CVE-2023-29404
nvd.nist.gov/vuln/detail/CVE-2023-29404
security-tracker.debian.org/tracker/CVE-2023-29404
www.cve.org/CVERecord?id=CVE-2023-29404