PT-2023-3109 · Go+11 · Go+11

Juho Nurminen

·

Publicado

2023-04-05

·

Atualizado

2025-01-06

·

CVE-2023-29402

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Go (affected versions not specified)
Description The issue is related to incorrect code generation when handling directory names with newline characters in the Go programming language's Cgo module. This may result in unexpected behavior when running a Go program that uses Cgo. The problem can occur when running an untrusted module containing such directories. It is noted that modules retrieved using the Go command, via "go get", are not affected, while those retrieved using GOPATH-mode (with GO111MODULE=off) may be affected. Exploitation of this issue may allow a remote attacker to execute arbitrary code.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

ALSA-2023:3922
ALSA-2023:3923
ALT-PU-2023-2086
ALT-PU-2023-2090
ALT-PU-2023-4099
ALT-PU-2023-4736
ALT-PU-2023-4785
ALT-PU-2023-5492
ALT-PU-2023-7055
AZL-27111
AZL-27122
AZL-37329
AZL-37353
AZL-47225
BDU:2023-03201
BIT-GOLANG-2023-29402
CESA-2023_3922
CVE-2023-29402
GO-2023-1839
MGASA-2023-0227
OESA-2023-1386
OPENSUSE-SU-2024:12987-1
OPENSUSE-SU-2024:12988-1
RHSA-2023:3920
RHSA-2023:3922
RHSA-2023:3923
RHSA-2023_3922
RHSA-2023_3923
RLSA-2023:3923
SUSE-SU-2023:2525-1
SUSE-SU-2023:2526-1
SUSE-SU-2023_2525-1
SUSE-SU-2023_2526-1
USN-7061-1
USN-7109-1

Produtos afetados

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Go
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu