Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2020-28367
PUBLISHED
More InfoOfficial Page
Assigner-Go
Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc
View Known Exploited Vulnerability (KEV) details
Published At-18 Nov, 2020 | 00:00
Updated At-04 Aug, 2024 | 16:33
Rejected At-
▼CVE Numbering Authority (CNA)
Arbitrary code execution via the go command with cgo in cmd/go

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

Affected Products
Vendor
Go toolchain
Product
cmd/go
Collection URL
https://pkg.go.dev
Package Name
cmd/go
Program Routines
  • validCompilerFlags
Default Status
unaffected
Versions
Affected
  • From 0 before 1.14.12 (semver)
  • From 1.15.0-0 before 1.15.5 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-94: Improper Control of Generation of Code ('Code Injection')
Type: N/A
CWE ID: N/A
Description: CWE-94: Improper Control of Generation of Code ('Code Injection')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Imre Rad
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/cl/267277
N/A
https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561
N/A
https://go.dev/issue/42556
N/A
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
N/A
https://pkg.go.dev/vuln/GO-2022-0476
N/A
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
N/A
Hyperlink: https://go.dev/cl/267277
Resource: N/A
Hyperlink: https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561
Resource: N/A
Hyperlink: https://go.dev/issue/42556
Resource: N/A
Hyperlink: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
Resource: N/A
Hyperlink: https://pkg.go.dev/vuln/GO-2022-0476
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
Resource: N/A
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/cl/267277
x_transferred
https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561
x_transferred
https://go.dev/issue/42556
x_transferred
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
x_transferred
https://pkg.go.dev/vuln/GO-2022-0476
x_transferred
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
x_transferred
Hyperlink: https://go.dev/cl/267277
Resource:
x_transferred
Hyperlink: https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561
Resource:
x_transferred
Hyperlink: https://go.dev/issue/42556
Resource:
x_transferred
Hyperlink: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
Resource:
x_transferred
Hyperlink: https://pkg.go.dev/vuln/GO-2022-0476
Resource:
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
Resource:
x_transferred
Details not found