CVE-2023-39320

Arbitrary code execution via go.mod toolchain directive in cmd/go

EPSS 1.4%

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

08 Sep 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Affected products

Go toolchain · cmd/go

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://go.dev/cl/526158 https://go.dev/issue/62198 https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ https://pkg.go.dev/vuln/GO-2023-2042 https://security.gentoo.org/glsa/202311-09 https://security.netapp.com/advisory/ntap-20231020-0004/