Main Vulnerability Database Vulnerabilities #VU101963

#VU101963 OS Command Injection in Go programming language - CVE-2023-24531

Published: December 27, 2024

Vulnerability identifier: #VU101963

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-24531

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Go programming language

Software vendor:
Google

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when handling output of environment variables. A local user can execute arbitrary commands on the system by setting specially crafted values to environment variables and making "go env" print them out.

Remediation

Install updates from vendor's website.

External links

https://go.dev/cl/488375
https://go.dev/cl/493535
https://go.dev/issue/58508
https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ
https://pkg.go.dev/vuln/GO-2024-2962

#VU101963 OS Command Injection in Go programming language - CVE-2023-24531

Description

Remediation

External links

Please verify you're human