2237775 – (CVE-2023-39320) CVE-2023-39320 golang: cmd/go: go.mod toolchain directive allows arbitrary execution

Bug 2237775 (CVE-2023-39320) - CVE-2023-39320 golang: cmd/go: go.mod toolchain directive allows arbitrary execution

Summary: CVE-2023-39320 golang: cmd/go: go.mod toolchain directive allows arbitrary ex...

Keywords:
Status:	NEW
Alias:	CVE-2023-39320
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2238074 2238075 2238090 2238804 2238805
Blocks:	2237770
TreeView+	depends on / blocked

Reported:	2023-09-06 20:22 UTC by Patrick Del Bello
Modified:	2024-01-30 18:13 UTC (History)
CC List:	15 users (show)
Fixed In Version:	golang 1.21.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Golang. The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy and downloaded directly using VCS software.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2023-09-06 20:22:35 UTC

The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Comment 6 Anten Skrabec 2023-09-13 17:17:54 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2238804]
Affects: fedora-all [bug 2238805]

Note You need to log in before you can comment on or make changes to this bug.