CVE-2023-39320
Summary
| CVE | CVE-2023-39320 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-08 17:15:00 UTC |
| Updated | 2023-11-07 04:17:00 UTC |
| Description | The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [security] Go 1.21.1 and Go 1.20.8 are released | MISC | groups.google.com | |
| go.dev/cl/526158 | MISC | go.dev | |
| September 2023 Golang 1.21.0 Vulnerabilities in NetApp Products | NetApp Product Security | MISC | security.netapp.com | |
| GO-2023-2042 - Go Packages | MISC | pkg.go.dev | |
| cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) · Issue #62198 · golang/go · GitHub | MISC | go.dev | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
- 506086 Alpine Linux Security Update for go
- 710791 Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)
- 754886 SUSE Enterprise Linux Security Update for go1.21 (SUSE-SU-2023:3701-1)
- 755275 SUSE Enterprise Linux Security Update for go1.21-openssl (SUSE-SU-2023:4469-1)