{"api_version":"1","generated_at":"2026-04-22T20:52:43+00:00","cve":"CVE-2023-39323","urls":{"html":"https://cve.report/CVE-2023-39323","api":"https://cve.report/api/cve/CVE-2023-39323.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-39323","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-39323"},"summary":{"title":"CVE-2023-39323","description":"Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-10-05 21:15:00","updated_at":"2024-01-04 18:04:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202311-09","name":"https://security.gentoo.org/glsa/202311-09","refsource":"","tags":["Third Party Advisory"],"title":"Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://go.dev/issue/63211","name":"https://go.dev/issue/63211","refsource":"MISC","tags":[],"title":"cmd/go: line directives allows arbitrary execution during build (CVE-2023-39323) · Issue #63211 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://pkg.go.dev/vuln/GO-2023-2095","name":"https://pkg.go.dev/vuln/GO-2023-2095","refsource":"MISC","tags":[],"title":"GO-2023-2095 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: golang-1.20.10-2.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20231020-0001/","name":"https://security.netapp.com/advisory/ntap-20231020-0001/","refsource":"MISC","tags":[],"title":"CVE-2023-39323 Golang Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/533215","name":"https://go.dev/cl/533215","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/XBa1oHDevAo","name":"https://groups.google.com/g/golang-announce/c/XBa1oHDevAo","refsource":"MISC","tags":[],"title":"[security] Go 1.21.2 and Go 1.20.9 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 39 Update: golang-1.21.3-1.fc39 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: golang-1.20.10-3.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-39323","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39323","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"39323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"39323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"39323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"39","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"39323","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-39323","qid":"200040","title":"Ubuntu Security Notification for Go Vulnerabilities (USN-6574-1)"},{"cve":"CVE-2023-39323","qid":"284688","title":"Fedora Security Update for golang (FEDORA-2023-fe53e13b5b)"},{"cve":"CVE-2023-39323","qid":"284689","title":"Fedora Security Update for golang (FEDORA-2023-4bf641255e)"},{"cve":"CVE-2023-39323","qid":"285182","title":"Fedora Security Update for golang (FEDORA-2023-822aab0a5a)"},{"cve":"CVE-2023-39323","qid":"296105","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)"},{"cve":"CVE-2023-39323","qid":"356411","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2313"},{"cve":"CVE-2023-39323","qid":"356455","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1871"},{"cve":"CVE-2023-39323","qid":"356513","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-394"},{"cve":"CVE-2023-39323","qid":"356597","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2ECS-2023-016"},{"cve":"CVE-2023-39323","qid":"356624","title":"Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2023-2023-420"},{"cve":"CVE-2023-39323","qid":"503374","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-39323","qid":"506087","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-39323","qid":"673519","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3270)"},{"cve":"CVE-2023-39323","qid":"673612","title":"EulerOS Security Update for golang (EulerOS-SA-2024-1082)"},{"cve":"CVE-2023-39323","qid":"673850","title":"EulerOS Security Update for golang (EulerOS-SA-2024-1140)"},{"cve":"CVE-2023-39323","qid":"673979","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3299)"},{"cve":"CVE-2023-39323","qid":"673981","title":"EulerOS Security Update for golang (EulerOS-SA-2024-1058)"},{"cve":"CVE-2023-39323","qid":"673988","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3331)"},{"cve":"CVE-2023-39323","qid":"674107","title":"EulerOS Security Update for golang (EulerOS-SA-2023-3242)"},{"cve":"CVE-2023-39323","qid":"710791","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202311-09)"},{"cve":"CVE-2023-39323","qid":"755051","title":"SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:4018-1)"},{"cve":"CVE-2023-39323","qid":"755052","title":"SUSE Enterprise Linux Security Update for go1.21 (SUSE-SU-2023:4017-1)"},{"cve":"CVE-2023-39323","qid":"755272","title":"SUSE Enterprise Linux Security Update for go1.20-openssl (SUSE-SU-2023:4472-1)"},{"cve":"CVE-2023-39323","qid":"755275","title":"SUSE Enterprise Linux Security Update for go1.21-openssl (SUSE-SU-2023:4469-1)"},{"cve":"CVE-2023-39323","qid":"907547","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (31107-1)"},{"cve":"CVE-2023-39323","qid":"907803","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (31107-2)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-39323","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE 94: Improper Control of Generation of Code ('Code Injection')"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go toolchain","product":{"product_data":[{"product_name":"cmd/go","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.20.9"},{"version_affected":"<","version_name":"1.21.0-0","version_value":"1.21.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/63211","refsource":"MISC","name":"https://go.dev/issue/63211"},{"url":"https://go.dev/cl/533215","refsource":"MISC","name":"https://go.dev/cl/533215"},{"url":"https://groups.google.com/g/golang-announce/c/XBa1oHDevAo","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"},{"url":"https://pkg.go.dev/vuln/GO-2023-2095","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-2095"},{"url":"https://security.netapp.com/advisory/ntap-20231020-0001/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20231020-0001/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"}]}},"nvd":{"publishedDate":"2023-10-05 21:15:00","lastModifiedDate":"2024-01-04 18:04:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.20.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.21.0","versionEndExcluding":"1.21.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}