CVE-2023-39320

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://go.dev/cl/526158	Patch
https://go.dev/issue/62198	Issue Tracking
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ	Release Notes
https://pkg.go.dev/vuln/GO-2023-2042	Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20231020-0004/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

History

25 Nov 2023, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-08 17:15

Updated : 2024-02-05 00:01

NVD link : CVE-2023-39320

Mitre link : CVE-2023-39320

CVE.ORG link : CVE-2023-39320

JSON object : View

Products Affected

golang

go

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2023-39320", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-09-08T17:15:27.977", "references": [{"url": "https://go.dev/cl/526158", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/62198", "tags": ["Issue Tracking"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", "tags": ["Release Notes"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2042", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://security.gentoo.org/glsa/202311-09", "source": "security@golang.org"}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0004/", "tags": ["Third Party Advisory"], "source": "security@golang.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}, {"lang": "es", "value": "La directiva de cadena de herramientas go.mod, introducida en Go 1.21, se puede aprovechar para ejecutar scripts y binarios relativos a la ra\u00edz del m\u00f3dulo cuando el comando \"go\" se ejecut\u00f3 dentro del m\u00f3dulo. Esto se aplica a los m\u00f3dulos descargados utilizando el comando \"go\" desde el proxy del m\u00f3dulo, as\u00ed como a los m\u00f3dulos descargados directamente mediante el software VCS."}], "lastModified": "2023-11-25T11:15:17.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "958E1BA0-2840-47E9-A790-79C10164C68C", "versionEndExcluding": "1.21.1", "versionStartIncluding": "1.21.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}