{"api_version":"1","generated_at":"2026-04-23T01:14:55+00:00","cve":"CVE-2023-29402","urls":{"html":"https://cve.report/CVE-2023-29402","api":"https://cve.report/api/cve/CVE-2023-29402.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-29402","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-29402"},"summary":{"title":"CVE-2023-29402","description":"The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-06-08 21:15:00","updated_at":"2023-11-25 11:15:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://pkg.go.dev/vuln/GO-2023-1839","name":"https://pkg.go.dev/vuln/GO-2023-1839","refsource":"MISC","tags":[],"title":"GO-2023-1839 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: golang-1.20.6-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/501226","name":"https://go.dev/cl/501226","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: golang-1.19.12-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ","name":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ","refsource":"MISC","tags":[],"title":"[security] Go 1.20.5 and Go 1.19.10 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/60167","name":"https://go.dev/issue/60167","refsource":"MISC","tags":[],"title":"cmd/go: cgo code injection [CVE-2023-29402] · Issue #60167 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29402","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29402","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"29402","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"29402","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-29402","qid":"160768","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-3922)"},{"cve":"CVE-2023-29402","qid":"160775","title":"Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-3923)"},{"cve":"CVE-2023-29402","qid":"241761","title":"Red Hat Update for go-toolset and golang (RHSA-2023:3923)"},{"cve":"CVE-2023-29402","qid":"241765","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2023:3922)"},{"cve":"CVE-2023-29402","qid":"284327","title":"Fedora Security Update for golang (FEDORA-2023-eb60fcd505)"},{"cve":"CVE-2023-29402","qid":"284380","title":"Fedora Security Update for golang (FEDORA-2023-1819dc9854)"},{"cve":"CVE-2023-29402","qid":"355573","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1784"},{"cve":"CVE-2023-29402","qid":"355578","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2131"},{"cve":"CVE-2023-29402","qid":"355748","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-269"},{"cve":"CVE-2023-29402","qid":"356180","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-001"},{"cve":"CVE-2023-29402","qid":"356503","title":"Amazon Linux Security Advisory for golang : ALAS2GOLANG1.19-2023-001"},{"cve":"CVE-2023-29402","qid":"378646","title":"Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2023:0055)"},{"cve":"CVE-2023-29402","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2023-29402","qid":"503190","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-29402","qid":"506083","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-29402","qid":"673378","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2786)"},{"cve":"CVE-2023-29402","qid":"673460","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2810)"},{"cve":"CVE-2023-29402","qid":"673659","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2842)"},{"cve":"CVE-2023-29402","qid":"673916","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2859)"},{"cve":"CVE-2023-29402","qid":"691224","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (78f2e491-312d-11ee-85f2-bd89b893fcb4)"},{"cve":"CVE-2023-29402","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2023-29402","qid":"754100","title":"SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:2526-1)"},{"cve":"CVE-2023-29402","qid":"754101","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:2525-1)"},{"cve":"CVE-2023-29402","qid":"907026","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for msft-golang (27122-1)"},{"cve":"CVE-2023-29402","qid":"907496","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (27111-1)"},{"cve":"CVE-2023-29402","qid":"907805","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (27111-2)"},{"cve":"CVE-2023-29402","qid":"941157","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:3922)"},{"cve":"CVE-2023-29402","qid":"941159","title":"AlmaLinux Security Update for go-toolset and golang (ALSA-2023:3923)"},{"cve":"CVE-2023-29402","qid":"960955","title":"Rocky Linux Security Update for go-toolset and golang (RLSA-2023:3923)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-29402","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via \"go get\", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected)."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go toolchain","product":{"product_data":[{"product_name":"cmd/go","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.10"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.5"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/60167","refsource":"MISC","name":"https://go.dev/issue/60167"},{"url":"https://go.dev/cl/501226","refsource":"MISC","name":"https://go.dev/cl/501226"},{"url":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"},{"url":"https://pkg.go.dev/vuln/GO-2023-1839","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1839"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"}]},"credits":[{"lang":"en","value":"Juho Nurminen of Mattermost"}]},"nvd":{"publishedDate":"2023-06-08 21:15:00","lastModifiedDate":"2023-11-25 11:15:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.10","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}