Multiple vulnerabilities in Go

1) Incorrect calculation

EUVDB-ID: #VU50047

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3114

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to incorrect calculation performed by the application in "crypto/elliptic/p224.go". A remote attacker can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.14.1 - 1.15.6

Fixed software versions

CPE2.3

• cpe:2.3:a:google:golang:1.14.1:*:*:*:*:*:*:*

External links

http://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871
http://groups.google.com/g/golang-announce/c/mperVMGa98w

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) OS Command Injection

EUVDB-ID: #VU50046

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3115

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when using the "go get" command to fetch modules that make use of cgo. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.14.1 - 1.15.6

Fixed software versions

CPE2.3

• cpe:2.3:a:google:golang:1.14.1:*:*:*:*:*:*:*

External links

http://blog.golang.org/path-security
http://groups.google.com/g/golang-announce/c/mperVMGa98w

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?