Main Vulnerability Database Vulnerabilities #VU77530

#VU77530 Code Injection in Go programming language - CVE-2023-29404

Published: June 19, 2023

Vulnerability identifier: #VU77530

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29404

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Go programming language

Software vendor:
Google

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

Remediation

Install updates from vendor's website.

External links

https://go.dev/issue/60305
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://pkg.go.dev/vuln/GO-2023-1841
https://go.dev/cl/501225

#VU77530 Code Injection in Go programming language - CVE-2023-29404

Description

Remediation

External links

Please verify you're human