Vulnerability CVE-2023-39320: Information

Description

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-39320
Published: Sept. 8, 2023
Modified: Nov. 25, 2023
Error type identifier: CWE-94

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
golangsisyphus1.21.1-alt11.22.2-alt1ALT-PU-2023-5463-1328866Fixed
golangsisyphus_riscv641.21.1-alt0.port1.22.2-alt1ALT-PU-2023-5614-1-Fixed
golangp101.20.8-alt11.21.9-alt1ALT-PU-2023-5464-2328867Fixed
golangc10f11.20.8-alt11.21.9-alt1ALT-PU-2023-5492-2328868Fixed
golangc9f21.20.11-alt11.20.11-alt1ALT-PU-2023-7055-2333913Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
  • Release Notes
https://go.dev/cl/526158
  • Patch
https://pkg.go.dev/vuln/GO-2023-2042
  • Vendor Advisory
https://go.dev/issue/62198
  • Issue Tracking
https://security.netapp.com/advisory/ntap-20231020-0004/
  • Third Party Advisory
https://security.gentoo.org/glsa/202311-09

      1. Configuration 1

        cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
        Start including
        1.21.0
        End excliding
        1.21.1
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.4.2
    Back to top