CVE-2021-3115
golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Go versiones anteriores a 1.14.14 y versiones 1.15. x anteriores a 1.15.7 en Windows, es vulnerable a una inyección de comandos y una ejecución de código remota cuando es usado el comando "go get" para buscar módulos que hacen uso de cgo (por ejemplo, cgo puede ejecutar un programa gcc desde una descarga que no es confiable)
A flaw was found in golang: cmd/go, in which Go can execute arbitrary commands at build time when cgo is in use on Windows OS. On Linux/Unix, only users who have "." listed explicitly in their PATH variable are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Red Hat OpenShift Serverless 1.14.0 is a generally available release of the OpenShift Serverless Operator. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6 and 4.7, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section. Issues addressed include a code execution vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-11 CVE Reserved
- 2021-01-26 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-427: Uncontrolled Search Path Element
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://groups.google.com/g/golang-announce/c/mperVMGa98w | Release Notes | |
| https://security.netapp.com/advisory/ntap-20210219-0001 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.14.14 Search vendor "Golang" for product "Go" and version " < 1.14.14" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.15 < 1.15.7 Search vendor "Golang" for product "Go" and version " >= 1.15 < 1.15.7" | - |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Cloud Insights Telegraf Agent Search vendor "Netapp" for product "Cloud Insights Telegraf Agent" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Storagegrid Search vendor "Netapp" for product "Storagegrid" | - | - |
Affected
| ||||||