CVE-2023-39320 - OpenCVE

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Golang	Go

Configuration 1 [-]

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://go.dev/cl/526158
https://go.dev/issue/62198
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://nvd.nist.gov/vuln/detail/CVE-2023-39320
https://pkg.go.dev/vuln/GO-2023-2042
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20231020-0004/
https://vuln.go.dev/ID/GO-2023-2042.json
https://www.cve.org/CVERecord?id=CVE-2023-39320

History

No history.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2023-09-08T16:13:26.609Z

Updated: 2024-08-02T18:02:06.849Z

Reserved: 2023-07-27T17:05:55.186Z

Link: CVE-2023-39320

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-09-08T17:15:27.977

Modified: 2023-11-25T11:15:17.630

Link: CVE-2023-39320

Redhat

Severity : Important

Publid Date: 2023-09-06T00:00:00Z

Links: CVE-2023-39320 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39320", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-07-27T17:05:55.186Z", "datePublished": "2023-09-08T16:13:26.609Z", "dateUpdated": "2024-08-02T18:02:06.849Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-09-08T16:13:26.609Z"}, "title": "Arbitrary code execution via go.mod toolchain directive in cmd/go", "descriptions": [{"lang": "en", "value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "1.21.0-0", "lessThan": "1.21.1", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://go.dev/issue/62198"}, {"url": "https://go.dev/cl/526158"}, {"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2042"}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0004/"}, {"url": "https://security.gentoo.org/glsa/202311-09"}], "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.849Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/62198", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/526158", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-2042", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0004/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-09", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "958E1BA0-2840-47E9-A790-79C10164C68C", "versionEndExcluding": "1.21.1", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software."}, {"lang": "es", "value": "La directiva de cadena de herramientas go.mod, introducida en Go 1.21, se puede aprovechar para ejecutar scripts y binarios relativos a la ra\u00edz del m\u00f3dulo cuando el comando \"go\" se ejecut\u00f3 dentro del m\u00f3dulo. Esto se aplica a los m\u00f3dulos descargados utilizando el comando \"go\" desde el proxy del m\u00f3dulo, as\u00ed como a los m\u00f3dulos descargados directamente mediante el software VCS."}], "id": "CVE-2023-39320", "lastModified": "2023-11-25T11:15:17.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-08T17:15:27.977", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/526158"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/62198"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2042"}, {"source": "security@golang.org", "url": "https://security.gentoo.org/glsa/202311-09"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231020-0004/"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Juho Nurminen (Mattermost) for reporting this issue.", "bugzilla": {"description": "golang: cmd/go: go.mod toolchain directive allows arbitrary execution", "id": "2237775", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2237775"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software.", "A flaw was found in Golang. The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy and downloaded directly using VCS software."], "name": "CVE-2023-39320", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "go-toolset-7-golang", "product_name": "Red Hat Storage 3"}], "public_date": "2023-09-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-39320\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39320\nhttps://go.dev/cl/526158\nhttps://go.dev/issue/62198\nhttps://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ\nhttps://vuln.go.dev/ID/GO-2023-2042.json"], "threat_severity": "Important", "upstream_fix": "golang 1.21.1"}