critical
9.8
CWE
94 20
Advisory Published
CVE Published
Updated

CVE-2020-28367: Arbitrary code execution via the go command with cgo in cmd/go

First published: Thu Nov 12 2020(Updated: )

An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
redhat/openshift-serverless-clients<0:0.18.4-2.el8
0:0.18.4-2.el8
redhat/go-toolset<1.14-0:1.14.12-1.el7_9
1.14-0:1.14.12-1.el7_9
redhat/go-toolset<1.14-golang-0:1.14.12-1.el7_9
1.14-golang-0:1.14.12-1.el7_9
redhat/go<1.15.5
1.15.5
redhat/go<1.14.12
1.14.12
IBM Cloud Pak for Security<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software<=1.10.12.0 - 1.10.16.0
Go<1.14.12
Go>=1.15<1.15.5

Remedy

https://go.dev/issue/42556

Remedy

If it's possible to confirm that the go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either `go get` or `go build`. For example: CGO_ENABLED=0 go get github.com/someproject This will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files. Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2020-28367?

    CVE-2020-28367 is a code injection vulnerability in the go command with cgo before Go 1.14.12 and Go 1.15.5 that allows arbitrary code execution.

  • How does CVE-2020-28367 impact Go?

    CVE-2020-28367 allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via `go get` or `go build`.

  • What is the severity of CVE-2020-28367?

    CVE-2020-28367 has a severity rating of high (7 out of 10).

  • Which versions of Go are affected by CVE-2020-28367?

    CVE-2020-28367 affects Go versions before Go 1.14.12 and Go 1.15.5.

  • How can I mitigate the risk of CVE-2020-28367?

    To mitigate the risk of CVE-2020-28367, it is recommended to update to Go 1.14.12 or Go 1.15.5.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203