CVE-2021-3115
golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Go versiones anteriores a 1.14.14 y versiones 1.15. x anteriores a 1.15.7 en Windows, es vulnerable a una inyección de comandos y una ejecución de código remota cuando es usado el comando "go get" para buscar módulos que hacen uso de cgo (por ejemplo, cgo puede ejecutar un programa gcc desde una descarga que no es confiable)
A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-11 CVE Reserved
- 2021-01-26 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-427: Uncontrolled Search Path Element
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://groups.google.com/g/golang-announce/c/mperVMGa98w | Release Notes | |
https://security.netapp.com/advisory/ntap-20210219-0001 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.14.14 Search vendor "Golang" for product "Go" and version " < 1.14.14" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.15 < 1.15.7 Search vendor "Golang" for product "Go" and version " >= 1.15 < 1.15.7" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Cloud Insights Telegraf Agent Search vendor "Netapp" for product "Cloud Insights Telegraf Agent" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Storagegrid Search vendor "Netapp" for product "Storagegrid" | - | - |
Affected
|