CVE-2023-39323

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-39323
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-10-05 21:15:00 UTC
Updated2024-01-04 18:04:00 UTC
DescriptionLine directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 37 All All All
Operating System Fedoraproject Fedora 38 All All All
Operating System Fedoraproject Fedora 39 All All All
Application Golang Go All All All All

References

ReferenceSourceLinkTags
Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security security.gentoo.org Third Party Advisory
cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) · Issue #63211 · golang/go · GitHub MISC go.dev
GO-2023-2095 - Go Packages MISC pkg.go.dev
[SECURITY] Fedora 38 Update: golang-1.20.10-2.fc38 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
CVE-2023-39323 Golang Vulnerability in NetApp Products | NetApp Product Security MISC security.netapp.com
go.dev/cl/533215 MISC go.dev
[security] Go 1.21.2 and Go 1.20.9 are released MISC groups.google.com
[SECURITY] Fedora 39 Update: golang-1.21.3-1.fc39 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
[SECURITY] Fedora 37 Update: golang-1.20.10-3.fc37 - package-announce - Fedora Mailing-Lists MISC lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 200040 Ubuntu Security Notification for Go Vulnerabilities (USN-6574-1)
  • 284688 Fedora Security Update for golang (FEDORA-2023-fe53e13b5b)
  • 284689 Fedora Security Update for golang (FEDORA-2023-4bf641255e)
  • 285182 Fedora Security Update for golang (FEDORA-2023-822aab0a5a)
  • 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
  • 356411 Amazon Linux Security Advisory for golang : ALAS2-2023-2313
  • 356455 Amazon Linux Security Advisory for golang : ALAS-2023-1871
  • 356513 Amazon Linux Security Advisory for golang : ALAS2023-2023-394
  • 356597 Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2ECS-2023-016
  • 356624 Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2023-2023-420
  • 503374 Alpine Linux Security Update for go
  • 506087 Alpine Linux Security Update for go
  • 673519 EulerOS Security Update for golang (EulerOS-SA-2023-3270)
  • 673612 EulerOS Security Update for golang (EulerOS-SA-2024-1082)
  • 673850 EulerOS Security Update for golang (EulerOS-SA-2024-1140)
  • 673979 EulerOS Security Update for golang (EulerOS-SA-2023-3299)
  • 673981 EulerOS Security Update for golang (EulerOS-SA-2024-1058)
  • 673988 EulerOS Security Update for golang (EulerOS-SA-2023-3331)
  • 674107 EulerOS Security Update for golang (EulerOS-SA-2023-3242)
  • 710791 Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)
  • 755051 SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:4018-1)
  • 755052 SUSE Enterprise Linux Security Update for go1.21 (SUSE-SU-2023:4017-1)
  • 755272 SUSE Enterprise Linux Security Update for go1.20-openssl (SUSE-SU-2023:4472-1)
  • 755275 SUSE Enterprise Linux Security Update for go1.21-openssl (SUSE-SU-2023:4469-1)
  • 907547 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (31107-1)
  • 907803 Common Base Linux Mariner (CBL-Mariner) Security Update for golang (31107-2)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report