Main Vulnerability Database Vulnerabilities #VU77531

Code Injection in Go programming language - CVE-2023-29405

Published: June 19, 2023

Vulnerability identifier: #VU77531

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29405

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Go programming language

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

How to mitigate CVE-2023-29405

Install updates from vendor's website.

Sources

https://go.dev/issue/60306
https://pkg.go.dev/vuln/GO-2023-1842
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://go.dev/cl/501224

Code Injection in Go programming language - CVE-2023-29405

Detailed vulnerability description

How to mitigate CVE-2023-29405

Sources

Please verify you're human