CVE-2023-29405 - OpenCVE

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

References

Link	Resource
https://go.dev/cl/501224	Patch
https://go.dev/issue/60306	Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/	Mailing List
https://pkg.go.dev/vuln/GO-2023-1842	Vendor Advisory
https://security.gentoo.org/glsa/202311-09

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Go

Published: 2023-06-08T20:19:19.267Z

Updated: 2024-01-04T18:09:23.809Z

Reserved: 2023-04-05T19:36:35.043Z

Link: CVE-2023-29405

JSON object: View

NVD Information

Status : Modified

Published: 2023-06-08T21:15:17.197

Modified: 2023-11-25T11:15:14.647

Link: CVE-2023-29405

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-29405", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-04-05T19:36:35.043Z", "datePublished": "2023-06-08T20:19:19.267Z", "dateUpdated": "2024-01-04T18:09:23.809Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-01-04T18:09:23.809Z"}, "title": "Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go", "descriptions": [{"lang": "en", "value": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "0", "lessThan": "1.19.10", "status": "affected", "versionType": "semver"}, {"version": "1.20.0-0", "lessThan": "1.20.5", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Go toolchain", "product": "cmd/cgo", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/cgo", "versions": [{"version": "0", "lessThan": "1.19.10", "status": "affected", "versionType": "semver"}, {"version": "1.20.0-0", "lessThan": "1.20.5", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "references": [{"url": "https://go.dev/issue/60306"}, {"url": "https://go.dev/cl/501224"}, {"url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2023-1842"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"}, {"url": "https://security.gentoo.org/glsa/202311-09"}], "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "E17A25CE-A8C9-4F89-916A-BB0327A509C9", "versionEndExcluding": "1.19.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "53EC811C-49DE-4470-908C-CDC9282EC7FA", "versionEndExcluding": "1.20.5", "versionStartIncluding": "1.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The go command may execute arbitrary code at build time when using cgo. This may occur when running \"go get\" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a \"#cgo LDFLAGS\" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler."}], "id": "CVE-2023-29405", "lastModified": "2023-11-25T11:15:14.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-08T21:15:17.197", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/501224"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/60306"}, {"source": "security@golang.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/"}, {"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-1842"}, {"source": "security@golang.org", "url": "https://security.gentoo.org/glsa/202311-09"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}