Chris Brown

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.14.12 Go versions 1.15.x prior to 1.15.5 **Description** The issue allows for code injection in the go command when cgo is used, potentially leading to arbitrary code execution at build time. This can happen through a malicious unquoted symbol name in a linked object file, such as when running `go get` on a malicious package or any other command that builds untrusted code. **Recommendations** For Go versions prior to 1.14.12, update to version 1.14.12 or later. For Go versions 1.15.x prior to 1.15.5, update to version 1.15.5 or later. As a temporary workaround, consider avoiding the use of cgo with untrusted code until a patch is applied.