CVE-2020-28366

Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo

EPSS 2.2%

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 2.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

18 nov 2020Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Produtos afetados

Go toolchain · cmd/cgo Go toolchain · cmd/go

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://go.dev/cl/269658 https://go.dev/issue/42559 https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM https://pkg.go.dev/vuln/GO-2022-0475