CVE-2023-39320

Arbitrary code execution via go.mod toolchain directive in cmd/go

EPSS 1.4%

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

08 set 2023Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Produtos afetados

Go toolchain · cmd/go

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://go.dev/cl/526158 https://go.dev/issue/62198 https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ https://pkg.go.dev/vuln/GO-2023-2042 https://security.gentoo.org/glsa/202311-09 https://security.netapp.com/advisory/ntap-20231020-0004/