CVE-2020-28367

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

History

20 Apr 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html -

03 Mar 2023, 14:36

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
CWE CWE-88 CWE-94
References (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 - (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 - Product
References (MISC) https://go.dev/cl/267277 - (MISC) https://go.dev/cl/267277 - Product, Release Notes
References (MISC) https://go.dev/issue/42556 - (MISC) https://go.dev/issue/42556 - Issue Tracking, Patch, Third Party Advisory
References (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Third Party Advisory (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Mailing List, Third Party Advisory
References (MISC) https://pkg.go.dev/vuln/GO-2022-0476 - (MISC) https://pkg.go.dev/vuln/GO-2022-0476 - Vendor Advisory

10 Aug 2022, 20:15

Type Values Removed Values Added
References
  • {'url': 'https://security.gentoo.org/glsa/202208-02', 'name': 'GLSA-202208-02', 'tags': ['Third Party Advisory'], 'refsource': 'GENTOO'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/', 'name': 'FEDORA-2020-e971480183', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://github.com/golang/go/issues/42556', 'name': 'https://github.com/golang/go/issues/42556', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html', 'name': '[debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update', 'tags': ['Third Party Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20201202-0004/', 'name': 'https://security.netapp.com/advisory/ntap-20201202-0004/', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/', 'name': 'FEDORA-2020-864922e78a', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.apache.org/thread.html/rd02e75766cd333a0df417588460f5e4477060633000bfe94955851fd@%3Cissues.trafficcontrol.apache.org%3E', 'name': '[trafficcontrol-issues] 20201112 [GitHub] [trafficcontrol] zrhoffman opened a new pull request #5278: Update Go version to 1.15.5', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • (MISC) https://go.dev/cl/267277 -
  • (MISC) https://pkg.go.dev/vuln/GO-2022-0476 -
  • (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 -
  • (MISC) https://go.dev/issue/42556 -
Summary Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

06 Aug 2022, 03:47

Type Values Removed Values Added
References (GENTOO) https://security.gentoo.org/glsa/202208-02 - (GENTOO) https://security.gentoo.org/glsa/202208-02 - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20201202-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20201202-0004/ - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/ - Mailing List, Third Party Advisory
CPE cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*

04 Aug 2022, 16:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202208-02 -

Information

Published : 2020-11-18 17:15

Updated : 2024-02-04 21:23


NVD link : CVE-2020-28367

Mitre link : CVE-2020-28367

CVE.ORG link : CVE-2020-28367


JSON object : View

Products Affected

golang

  • go
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')