Main Vulnerability Database Vulnerabilities #VU77531

#VU77531 Code Injection in Go programming language - CVE-2023-29405

Published: June 19, 2023

Vulnerability identifier: #VU77531

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29405

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Go programming language

Software vendor:
Google

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime when running "go get" on a malicious module, or when running any other
command which builds untrusted code.A remote attacker can inject and execute arbitrary code on the target system at build time when using cgo.

Remediation

Install updates from vendor's website.

External links

https://go.dev/issue/60306
https://pkg.go.dev/vuln/GO-2023-1842
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://go.dev/cl/501224

#VU77531 Code Injection in Go programming language - CVE-2023-29405

Description

Remediation

External links

Please verify you're human