{"api_version":"1","generated_at":"2026-04-23T00:40:34+00:00","cve":"CVE-2021-3115","urls":{"html":"https://cve.report/CVE-2021-3115","api":"https://cve.report/api/cve/CVE-2021-3115.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3115","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3115"},"summary":{"title":"CVE-2021-3115","description":"Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \"go get\" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-01-26 18:16:00","updated_at":"2023-11-07 03:37:00"},"problem_types":["CWE-427"],"metrics":[],"references":[{"url":"https://groups.google.com/g/golang-announce/c/mperVMGa98w","name":"https://groups.google.com/g/golang-announce/c/mperVMGa98w","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"[security] Go 1.15.7 and Go 1.14.14 are released","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/","name":"FEDORA-2021-e435a8bb88","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: golang-1.15.7-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20210219-0001/","name":"https://security.netapp.com/advisory/ntap-20210219-0001/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"February 2021 Golang Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://blog.golang.org/path-security","name":"https://blog.golang.org/path-security","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Command PATH security in Go - The Go Blog","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/","name":"FEDORA-2021-e435a8bb88","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: golang-1.15.7-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202208-02","name":"GLSA-202208-02","refsource":"GENTOO","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3115","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3115","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"cloud_insights_telegraf_agent","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"cloud_insights_telegraf_agent","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"storagegrid","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3115","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"storagegrid","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3115","qid":"159209","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2021-1746)"},{"cve":"CVE-2021-3115","qid":"179936","title":"Debian Security Update for golang-1.15 (CVE-2021-3115)"},{"cve":"CVE-2021-3115","qid":"239312","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2021:1746)"},{"cve":"CVE-2021-3115","qid":"352297","title":"Amazon Linux Security Update for golang: AL2012-2021-340"},{"cve":"CVE-2021-3115","qid":"375393","title":"Go Command Injection and Remote Code Execution Vulnerability"},{"cve":"CVE-2021-3115","qid":"501575","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2021-3115","qid":"690411","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (6a4805d5-5aaf-11eb-a21d-79f5bc5ef6a9)"},{"cve":"CVE-2021-3115","qid":"710584","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202208-02)"},{"cve":"CVE-2021-3115","qid":"750384","title":"OpenSUSE Security Update for go1.14 (openSUSE-SU-2021:0194-1)"},{"cve":"CVE-2021-3115","qid":"750385","title":"OpenSUSE Security Update for go1.14 (openSUSE-SU-2021:0190-1)"},{"cve":"CVE-2021-3115","qid":"750387","title":"OpenSUSE Security Update for go1.15 (openSUSE-SU-2021:0192-1)"},{"cve":"CVE-2021-3115","qid":"940200","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2021:1746)"},{"cve":"CVE-2021-3115","qid":"960773","title":"Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2021:1746)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-3115","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \"go get\" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"CONFIRM","name":"https://groups.google.com/g/golang-announce/c/mperVMGa98w","url":"https://groups.google.com/g/golang-announce/c/mperVMGa98w"},{"refsource":"CONFIRM","name":"https://blog.golang.org/path-security","url":"https://blog.golang.org/path-security"},{"refsource":"FEDORA","name":"FEDORA-2021-e435a8bb88","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210219-0001/","url":"https://security.netapp.com/advisory/ntap-20210219-0001/"},{"refsource":"GENTOO","name":"GLSA-202208-02","url":"https://security.gentoo.org/glsa/202208-02"}]}},"nvd":{"publishedDate":"2021-01-26 18:16:00","lastModifiedDate":"2023-11-07 03:37:00","problem_types":["CWE-427"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.1},"severity":"MEDIUM","exploitabilityScore":4.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.14.14","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.15","versionEndExcluding":"1.15.7","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3115","Ordinal":"198554","Title":"CVE-2021-3115","CVE":"CVE-2021-3115","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3115","Ordinal":"1","NoteData":"Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \"go get\" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).","Type":"Description","Title":null},{"CveYear":"2021","CveId":"3115","Ordinal":"2","NoteData":"2021-01-25","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"3115","Ordinal":"3","NoteData":"2021-02-19","Type":"Other","Title":"Modified"}]}}}