PT-2020-16998 · Google+4 · Go+4

Chris Brown

Published

2020-11-16

Updated

2024-06-15

CVE-2020-28366

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.14.12 Go versions 1.15.x prior to 1.15.5

Description The issue allows for code injection in the go command when cgo is used, potentially leading to arbitrary code execution at build time. This can happen through a malicious unquoted symbol name in a linked object file, such as when running go get on a malicious package or any other command that builds untrusted code.

Recommendations For Go versions prior to 1.14.12, update to version 1.14.12 or later. For Go versions 1.15.x prior to 1.15.5, update to version 1.15.5 or later. As a temporary workaround, consider avoiding the use of cgo with untrusted code until a patch is applied.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

ALT-PU-2020-3319

ALT-PU-2020-3334

ALT-PU-2020-3356

ALT-PU-2021-1456

AZL-38452

BIT-GOLANG-2020-28366

CESA-2020_5493

CVE-2020-28366

GO-2022-0475

MGASA-2021-0018

OPENSUSE-SU-2020:2047-1

OPENSUSE-SU-2020:2067-1

OPENSUSE-SU-2020:2139-1

OPENSUSE-SU-2020_2047-1

OPENSUSE-SU-2020_2067-1

OPENSUSE-SU-2020_2139-1

OPENSUSE-SU-2024:10807-1

OPENSUSE-SU-2024:10808-1

RHSA-2020:5333

RHSA-2020:5493

RHSA-2020_5493

RHSA-2021:0145

SUSE-SU-2020:3368-1

SUSE-SU-2020:3369-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

PT-2020-16998 · Google+4 · Go+4

CVE-2020-28366

Weakness Enumeration

Related Identifiers

Affected Products

References · 60