{"api_version":"1","generated_at":"2026-04-22T22:49:56+00:00","cve":"CVE-2023-39320","urls":{"html":"https://cve.report/CVE-2023-39320","api":"https://cve.report/api/cve/CVE-2023-39320.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-39320","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-39320"},"summary":{"title":"CVE-2023-39320","description":"The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-09-08 17:15:00","updated_at":"2023-11-07 04:17:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ","name":"https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ","refsource":"MISC","tags":[],"title":"[security] Go 1.21.1 and Go 1.20.8 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/526158","name":"https://go.dev/cl/526158","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20231020-0004/","name":"https://security.netapp.com/advisory/ntap-20231020-0004/","refsource":"MISC","tags":[],"title":"September 2023 Golang 1.21.0 Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pkg.go.dev/vuln/GO-2023-2042","name":"https://pkg.go.dev/vuln/GO-2023-2042","refsource":"MISC","tags":[],"title":"GO-2023-2042 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/62198","name":"https://go.dev/issue/62198","refsource":"MISC","tags":[],"title":"cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) · Issue #62198 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-39320","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39320","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"39320","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-39320","qid":"296105","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)"},{"cve":"CVE-2023-39320","qid":"506086","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-39320","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2023-39320","qid":"754886","title":"SUSE Enterprise Linux Security Update for go1.21 (SUSE-SU-2023:3701-1)"},{"cve":"CVE-2023-39320","qid":"755275","title":"SUSE Enterprise Linux Security Update for go1.21-openssl (SUSE-SU-2023:4469-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-39320","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go toolchain","product":{"product_data":[{"product_name":"cmd/go","version":{"version_data":[{"version_affected":"<","version_name":"1.21.0-0","version_value":"1.21.1"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/62198","refsource":"MISC","name":"https://go.dev/issue/62198"},{"url":"https://go.dev/cl/526158","refsource":"MISC","name":"https://go.dev/cl/526158"},{"url":"https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ","refsource":"MISC","name":"https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"},{"url":"https://pkg.go.dev/vuln/GO-2023-2042","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-2042"},{"url":"https://security.netapp.com/advisory/ntap-20231020-0004/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20231020-0004/"}]},"credits":[{"lang":"en","value":"Juho Nurminen of Mattermost"}]},"nvd":{"publishedDate":"2023-09-08 17:15:00","lastModifiedDate":"2023-11-07 04:17:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.21.0","versionEndExcluding":"1.21.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}