{"api_version":"1","generated_at":"2026-04-22T23:31:38+00:00","cve":"CVE-2023-29405","urls":{"html":"https://cve.report/CVE-2023-29405","api":"https://cve.report/api/cve/CVE-2023-29405.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-29405","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-29405"},"summary":{"title":"CVE-2023-29405","description":"The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-06-08 21:15:00","updated_at":"2023-11-25 11:15:00"},"problem_types":["CWE-74"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://go.dev/issue/60306","name":"https://go.dev/issue/60306","refsource":"MISC","tags":[],"title":"cmd/go: improper sanitization of LDFLAGS [CVE-2023-29405] · Issue #60306 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pkg.go.dev/vuln/GO-2023-1842","name":"https://pkg.go.dev/vuln/GO-2023-1842","refsource":"MISC","tags":[],"title":"GO-2023-1842 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: golang-1.20.6-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/501224","name":"https://go.dev/cl/501224","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: golang-1.19.12-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ","name":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ","refsource":"MISC","tags":[],"title":"[security] Go 1.20.5 and Go 1.19.10 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-29405","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29405","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"29405","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"29405","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-29405","qid":"160768","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-3922)"},{"cve":"CVE-2023-29405","qid":"160775","title":"Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-3923)"},{"cve":"CVE-2023-29405","qid":"241761","title":"Red Hat Update for go-toolset and golang (RHSA-2023:3923)"},{"cve":"CVE-2023-29405","qid":"241765","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2023:3922)"},{"cve":"CVE-2023-29405","qid":"284327","title":"Fedora Security Update for golang (FEDORA-2023-eb60fcd505)"},{"cve":"CVE-2023-29405","qid":"284380","title":"Fedora Security Update for golang (FEDORA-2023-1819dc9854)"},{"cve":"CVE-2023-29405","qid":"355697","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2163"},{"cve":"CVE-2023-29405","qid":"355748","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-269"},{"cve":"CVE-2023-29405","qid":"356180","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-001"},{"cve":"CVE-2023-29405","qid":"356503","title":"Amazon Linux Security Advisory for golang : ALAS2GOLANG1.19-2023-001"},{"cve":"CVE-2023-29405","qid":"378646","title":"Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2023:0055)"},{"cve":"CVE-2023-29405","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2023-29405","qid":"503190","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-29405","qid":"506083","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-29405","qid":"673378","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2786)"},{"cve":"CVE-2023-29405","qid":"673460","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2810)"},{"cve":"CVE-2023-29405","qid":"673659","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2842)"},{"cve":"CVE-2023-29405","qid":"673916","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2859)"},{"cve":"CVE-2023-29405","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2023-29405","qid":"754100","title":"SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:2526-1)"},{"cve":"CVE-2023-29405","qid":"754101","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:2525-1)"},{"cve":"CVE-2023-29405","qid":"907499","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (27110-1)"},{"cve":"CVE-2023-29405","qid":"907867","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (27110-2)"},{"cve":"CVE-2023-29405","qid":"907892","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for msft-golang (27123-1)"},{"cve":"CVE-2023-29405","qid":"941157","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:3922)"},{"cve":"CVE-2023-29405","qid":"941159","title":"AlmaLinux Security Update for go-toolset and golang (ALSA-2023:3923)"},{"cve":"CVE-2023-29405","qid":"960955","title":"Rocky Linux Security Update for go-toolset and golang (RLSA-2023:3923)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-29405","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go toolchain","product":{"product_data":[{"product_name":"cmd/go","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.10"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.5"}]}},{"product_name":"cmd/cgo","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.10"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.5"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/60306","refsource":"MISC","name":"https://go.dev/issue/60306"},{"url":"https://go.dev/cl/501224","refsource":"MISC","name":"https://go.dev/cl/501224"},{"url":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"},{"url":"https://pkg.go.dev/vuln/GO-2023-1842","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1842"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"}]},"credits":[{"lang":"en","value":"Juho Nurminen of Mattermost"}]},"nvd":{"publishedDate":"2023-06-08 21:15:00","lastModifiedDate":"2023-11-25 11:15:00","problem_types":["CWE-74"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.10","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}