{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-28367", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "assignerShortName": "Go", "dateUpdated": "2024-08-04T16:33:59.087Z", "dateReserved": "2020-11-09T00:00:00", "datePublished": "2020-11-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:04:24.544Z"}, "title": "Arbitrary code execution via the go command with cgo in cmd/go", "descriptions": [{"lang": "en", "value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "0", "lessThan": "1.14.12", "status": "affected", "versionType": "semver"}, {"version": "1.15.0-0", "lessThan": "1.15.5", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "validCompilerFlags"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://go.dev/cl/267277"}, {"url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"}, {"url": "https://go.dev/issue/42556"}, {"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0476"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}], "credits": [{"lang": "en", "value": "Imre Rad"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:33:59.087Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/cl/267277", "tags": ["x_transferred"]}, {"url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561", "tags": ["x_transferred"]}, {"url": "https://go.dev/issue/42556", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2022-0476", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2175A10-2BF6-430A-A90E-C3957B4FF493", "versionEndExcluding": "1.14.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D85EBF5-35FF-4F02-87AB-16FF644D11F3", "versionEndExcluding": "1.15.5", "versionStartIncluding": "1.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive."}, {"lang": "es", "value": "La inyecci\u00f3n de c\u00f3digo en el comando go con cgo antes de Go 1.14.12 y Go 1.15.5 permite la ejecuci\u00f3n de c\u00f3digo arbitrario en tiempo de compilaci\u00f3n a trav\u00e9s de banderas gcc maliciosas especificadas a trav\u00e9s de una directiva #cgo"}], "id": "CVE-2020-28367", "lastModified": "2023-11-07T03:21:20.733", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-18T17:15:12.057", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/267277"}, {"source": "security@golang.org", "url": "https://go.dev/issue/42556"}, {"source": "security@golang.org", "url": "https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}, {"source": "security@golang.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2022-0476"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.18.4-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.12.0-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.12.0-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.18.4-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.18.0-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.12.0-5", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.12.0-4", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.12.0-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0145", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:0.18.4-2.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2020:5333", "cpe": "cpe:/a:redhat:devtools:2020", "package": "go-toolset-1.14-0:1.14.12-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5333", "cpe": "cpe:/a:redhat:devtools:2020", "package": "go-toolset-1.14-golang-0:1.14.12-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5493", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8030020201118084734.58e1918e", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-12-15T00:00:00Z"}], "bugzilla": {"description": "golang: improper validation of cgo flags can lead to code execution at build time", "id": "1897646", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1897646"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.", "An input validation vulnerability was found in Go. If cgo is specified in a Go file, it is possible to bypass the validation of arguments to the gcc compiler. This flaw allows an attacker to create a malicious repository that can execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability."], "mitigation": {"lang": "en:us", "value": "If it's possible to confirm that the go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either `go get` or `go build`. \nFor example:\nCGO_ENABLED=0 go get github.com/someproject\nThis will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files. Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios."}, "name": "CVE-2020-28367", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-all-in-one-rhel7", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-all-in-one-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "jaeger-rhel7-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "jaeger-rhel8-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "knative-serving", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "kiali", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "kiali", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-virtctl", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "multi-cloud-object-gateway-cli", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "noobaa-operator-container", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}], "public_date": "2020-11-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-28367\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28367\nhttps://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ"], "statement": "While the OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ), OpenShift Service Mesh (OSSM), and OpenShift Virtualization all contain RPMs and containers that are compiled with a vulnerable version of Go, the vulnerability is specific to the building of the Go code itself. Using `go get` or `go build` and as such, the relevant components have been marked as not affected.\nAdditionally, only the main RPMs and containers for OCP, RHOSJ, OSSM, and OpenShift Virtualization are represented due to the large volume of not affected components.\nRed Hat Ceph Storage 3 ships the vulnerable version of go, and an attacker building go code on RHCS 3 could potentially exploit this vulnerability.", "threat_severity": "Moderate", "upstream_fix": "go 1.15.5, go 1.14.12"}