#VU77528 Code Injection in Go programming language - CVE-2023-29402
Published: June 19, 2023
Vulnerability identifier: #VU77528
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29402
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the cgo go command when building code that contains directories with newline characters in their names. A remote attacker can pass specially crafted input to the cgo command at build time and potentially compromise the system.
Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
Remediation
Install updates from vendor's website.