Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-39320

Summary
Assigner-Go
Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc
Published At-08 Sep, 2023 | 16:13
Updated At-13 Feb, 2025 | 17:02
Rejected At-
Credits

Arbitrary code execution via go.mod toolchain directive in cmd/go

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Go
Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc
Published At:08 Sep, 2023 | 16:13
Updated At:13 Feb, 2025 | 17:02
Rejected At:
▼CVE Numbering Authority (CNA)
Arbitrary code execution via go.mod toolchain directive in cmd/go

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Affected Products
Vendor
Go toolchain
Product
cmd/go
Collection URL
https://pkg.go.dev
Package Name
cmd/go
Default Status
unaffected
Versions
Affected
  • From 1.21.0-0 before 1.21.1 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-94: Improper Control of Generation of Code ('Code Injection')
Type: N/A
CWE ID: N/A
Description: CWE-94: Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Juho Nurminen of Mattermost
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/issue/62198
N/A
https://go.dev/cl/526158
N/A
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
N/A
https://pkg.go.dev/vuln/GO-2023-2042
N/A
https://security.netapp.com/advisory/ntap-20231020-0004/
N/A
https://security.gentoo.org/glsa/202311-09
N/A
Hyperlink: https://go.dev/issue/62198
Resource: N/A
Hyperlink: https://go.dev/cl/526158
Resource: N/A
Hyperlink: https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
Resource: N/A
Hyperlink: https://pkg.go.dev/vuln/GO-2023-2042
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20231020-0004/
Resource: N/A
Hyperlink: https://security.gentoo.org/glsa/202311-09
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/issue/62198
x_transferred
https://go.dev/cl/526158
x_transferred
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
x_transferred
https://pkg.go.dev/vuln/GO-2023-2042
x_transferred
https://security.netapp.com/advisory/ntap-20231020-0004/
x_transferred
https://security.gentoo.org/glsa/202311-09
x_transferred
Hyperlink: https://go.dev/issue/62198
Resource:
x_transferred
Hyperlink: https://go.dev/cl/526158
Resource:
x_transferred
Hyperlink: https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
Resource:
x_transferred
Hyperlink: https://pkg.go.dev/vuln/GO-2023-2042
Resource:
x_transferred
Hyperlink: https://security.netapp.com/advisory/ntap-20231020-0004/
Resource:
x_transferred
Hyperlink: https://security.gentoo.org/glsa/202311-09
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@golang.org
Published At:08 Sep, 2023 | 17:15
Updated At:25 Nov, 2023 | 11:15

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Go
golang
>>go>>Versions from 1.21.0(inclusive) to 1.21.1(exclusive)
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-94Primarynvd@nist.gov
CWE ID: CWE-94
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://go.dev/cl/526158security@golang.org
Patch
https://go.dev/issue/62198security@golang.org
Issue Tracking
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJsecurity@golang.org
Release Notes
https://pkg.go.dev/vuln/GO-2023-2042security@golang.org
Vendor Advisory
https://security.gentoo.org/glsa/202311-09security@golang.org
N/A
https://security.netapp.com/advisory/ntap-20231020-0004/security@golang.org
Third Party Advisory
Hyperlink: https://go.dev/cl/526158
Source: security@golang.org
Resource:
Patch
Hyperlink: https://go.dev/issue/62198
Source: security@golang.org
Resource:
Issue Tracking
Hyperlink: https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
Source: security@golang.org
Resource:
Release Notes
Hyperlink: https://pkg.go.dev/vuln/GO-2023-2042
Source: security@golang.org
Resource:
Vendor Advisory
Hyperlink: https://security.gentoo.org/glsa/202311-09
Source: security@golang.org
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20231020-0004/
Source: security@golang.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found