Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
References
Link | Resource |
---|---|
https://blog.golang.org/path-security | Vendor Advisory |
https://groups.google.com/g/golang-announce/c/mperVMGa98w | Release Notes Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/ | |
https://security.gentoo.org/glsa/202208-02 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20210219-0001/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
14 Sep 2022, 21:02
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202208-02 - Third Party Advisory |
04 Aug 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 May 2022, 16:04
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-427 |
Information
Published : 2021-01-26 18:16
Updated : 2024-02-04 21:23
NVD link : CVE-2021-3115
Mitre link : CVE-2021-3115
CVE.ORG link : CVE-2021-3115
JSON object : View
Products Affected
microsoft
- windows
netapp
- storagegrid
- cloud_insights_telegraf_agent
golang
- go
fedoraproject
- fedora
CWE
CWE-427
Uncontrolled Search Path Element