CVE-2023-39320: Arbitrary code execution via go.mod toolchain directive in cmd/go
First published: Fri Sep 08 2023(Updated: )
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
Credit: security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | >=1.21.0<1.21.1 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2023-39320.
What is the severity of CVE-2023-39320?
The severity of CVE-2023-39320 is critical with a score of 9.8 out of 10.
Which software is affected by CVE-2023-39320?
The software affected by CVE-2023-39320 is Golang Go versions 1.21.0 to 1.21.1.
How does CVE-2023-39320 work?
CVE-2023-39320 leverages the go.mod toolchain directive in Go 1.21 to execute scripts and binaries relative to the root of the module.
Is there a fix available for CVE-2023-39320?
Yes, a fix for CVE-2023-39320 is available. It is recommended to upgrade Golang Go to a version higher than 1.21.1.
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/event
- agent/title
- agent/references
- agent/weakness
- agent/severity
- agent/type
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/golang
- canonical/golang go
- version/golang go/1.21.0