CVE-2023-29402
Code injection via go command with cgo in cmd/go
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 1.7%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
08 Jun 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Go toolchain · cmd/goWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://go.dev/cl/501226https://go.dev/issue/60167https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/https://pkg.go.dev/vuln/GO-2023-1839https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20241213-0004/