{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39320", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-07-27T17:05:55.186Z", "datePublished": "2023-09-08T16:13:26.609Z", "dateUpdated": "2025-02-13T17:02:48.022Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-11-25T11:10:00.880Z"}, "title": "Arbitrary code execution via go.mod toolchain directive in cmd/go", "descriptions": [{"lang": "en", "value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "1.21.0-0", "lessThan": "1.21.1", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://go.dev/issue/62198"}, {"url": "https://go.dev/cl/526158"}, {"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2042"}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0004/"}, {"url": "https://security.gentoo.org/glsa/202311-09"}], "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.849Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/62198", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/526158", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-2042", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0004/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-09", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-26T17:28:10.391044Z", "id": "CVE-2023-39320", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T17:28:41.807Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/62198", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/526158", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-2042", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0004/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-09", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.849Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-26T17:28:10.391044Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-26T17:28:25.941Z"}}], "cna": {"title": "Arbitrary code execution via go.mod toolchain directive in cmd/go", "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "versions": [{"status": "affected", "version": "1.21.0-0", "lessThan": "1.21.1", "versionType": "semver"}], "packageName": "cmd/go", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/issue/62198"}, {"url": "https://go.dev/cl/526158"}, {"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2042"}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0004/"}, {"url": "https://security.gentoo.org/glsa/202311-09"}], "descriptions": [{"lang": "en", "value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-11-25T11:10:00.880Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39320", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:02:48.022Z", "dateReserved": "2023-07-27T17:05:55.186Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2023-09-08T16:13:26.609Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "958E1BA0-2840-47E9-A790-79C10164C68C", "versionEndExcluding": "1.21.1", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}, {"lang": "es", "value": "La directiva de cadena de herramientas go.mod, introducida en Go 1.21, se puede aprovechar para ejecutar scripts y binarios relativos a la ra\u00edz del m\u00f3dulo cuando el comando \"go\" se ejecut\u00f3 dentro del m\u00f3dulo. Esto se aplica a los m\u00f3dulos descargados utilizando el comando \"go\" desde el proxy del m\u00f3dulo, as\u00ed como a los m\u00f3dulos descargados directamente mediante el software VCS."}], "id": "CVE-2023-39320", "lastModified": "2024-11-21T08:15:09.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-08T17:15:27.977", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/526158"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/62198"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2042"}, {"source": "security@golang.org", "url": "https://security.gentoo.org/glsa/202311-09"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231020-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://go.dev/cl/526158"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/62198"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2042"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202311-09"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231020-0004/"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Juho Nurminen (Mattermost) for reporting this issue.", "bugzilla": {"description": "golang: cmd/go: go.mod toolchain directive allows arbitrary execution", "id": "2237775", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237775"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software.", "A flaw was found in Golang. The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy and downloaded directly using VCS software."], "name": "CVE-2023-39320", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "go-toolset-7-golang", "product_name": "Red Hat Storage 3"}], "public_date": "2023-09-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-39320\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39320\nhttps://go.dev/cl/526158\nhttps://go.dev/issue/62198\nhttps://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ\nhttps://vuln.go.dev/ID/GO-2023-2042.json"], "threat_severity": "Important", "upstream_fix": "golang 1.21.1"}