8.1

CVE-2023-39323

Arbitrary code execution during build via line directives in cmd/go

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version < 1.20.9
GolangGo Version >= 1.21.0 < 1.21.2
FedoraprojectFedora Version37
FedoraprojectFedora Version38
FedoraprojectFedora Version39
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.76% 0.752
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://security.gentoo.org/glsa/202311-09
Third Party Advisory
https://go.dev/cl/533215
Patch
https://go.dev/issue/63211
Patch
Issue Tracking
https://groups.google.com/g/golang-announce/c/XBa1oHDevAo
Mailing List
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
Third Party Advisory
Mailing List
https://pkg.go.dev/vuln/GO-2023-2095
Vendor Advisory
https://security.netapp.com/advisory/ntap-20231020-0001/
Third Party Advisory