CVE-2023-39320 - OpenCVE

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go

Configuration 1 [-]

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

References

Link	Resource
https://go.dev/cl/526158	Patch
https://go.dev/issue/62198	Issue Tracking
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ	Release Notes
https://pkg.go.dev/vuln/GO-2023-2042	Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20231020-0004/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Go

Published: 2023-09-08T16:13:26.609Z

Updated: 2023-09-08T16:13:26.609Z

Reserved: 2023-07-27T17:05:55.186Z

Link: CVE-2023-39320

JSON object: View

NVD Information

Status : Modified

Published: 2023-09-08T17:15:27.977

Modified: 2023-11-25T11:15:17.630

Link: CVE-2023-39320

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "958E1BA0-2840-47E9-A790-79C10164C68C", "versionEndExcluding": "1.21.1", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}, {"lang": "es", "value": "La directiva de cadena de herramientas go.mod, introducida en Go 1.21, se puede aprovechar para ejecutar scripts y binarios relativos a la ra\u00edz del m\u00f3dulo cuando el comando \"go\" se ejecut\u00f3 dentro del m\u00f3dulo. Esto se aplica a los m\u00f3dulos descargados utilizando el comando \"go\" desde el proxy del m\u00f3dulo, as\u00ed como a los m\u00f3dulos descargados directamente mediante el software VCS."}], "id": "CVE-2023-39320", "lastModified": "2023-11-25T11:15:17.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-08T17:15:27.977", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/526158"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/62198"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2042"}, {"source": "security@golang.org", "url": "https://security.gentoo.org/glsa/202311-09"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231020-0004/"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}