Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-29405

Date: June 8, 2023

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

Language: Go

Severity Score

Related Resources (12)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09
https://security-tracker.debian.org/tracker/CVE-2023-29405
https://go.dev/issue/60306
https://go.dev/cl/501224
https://nvd.nist.gov/vuln/detail/CVE-2023-29405
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://security.netapp.com/advisory/ntap-20241206-0003/
https://pkg.go.dev/vuln/GO-2023-1842
https://access.redhat.com/security/cve/CVE-2023-29405
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
https://www.mend.io/vulnerability-database/CVE-2023-29405

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us