ByteOS Network

NVD Vulnerability Details :

CVE-2023-24531

Deferred

Source-security@golang.org

Published At-02 Jul, 2024 | 20:15

Updated At-15 Apr, 2026 | 00:35

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Hyperlink	Source	Resource
https://go.dev/cl/488375	security@golang.org	N/A
https://go.dev/cl/493535	security@golang.org	N/A
https://go.dev/issue/58508	security@golang.org	N/A
https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ	security@golang.org	N/A
https://pkg.go.dev/vuln/GO-2024-2962	security@golang.org	N/A
https://go.dev/cl/488375	af854a3a-2127-422b-91ae-364da2661108	N/A
https://go.dev/cl/493535	af854a3a-2127-422b-91ae-364da2661108	N/A
https://go.dev/issue/58508	af854a3a-2127-422b-91ae-364da2661108	N/A
https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ	af854a3a-2127-422b-91ae-364da2661108	N/A
https://pkg.go.dev/vuln/GO-2024-2962	af854a3a-2127-422b-91ae-364da2661108	N/A
https://security.netapp.com/advisory/ntap-20250328-0005/	af854a3a-2127-422b-91ae-364da2661108	N/A