PT-2020-16999 · Google+4 · Go+4

Imre Rad

Published

2020-11-16

Updated

2024-06-15

CVE-2020-28367

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.14.12 Go versions prior to 1.15.5

Description The issue allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. This can occur when running commands that build untrusted code, such as go get on a malicious package. The problem is caused by the injection of malicious flags through a #cgo directive, enabling argument injection.

Recommendations For Go versions prior to 1.14.12, update to version 1.14.12 or later to resolve the issue. For Go versions prior to 1.15.5, update to version 1.15.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the #cgo directive until a patch is applied. Avoid using malicious gcc flags specified via a #cgo directive in the affected API endpoints until the issue is resolved.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

ALT-PU-2020-3319

ALT-PU-2020-3334

ALT-PU-2020-3356

ALT-PU-2021-1456

BIT-GOLANG-2020-28367

CESA-2020_5493

CVE-2020-28367

DLA-2460-1

DLA-3395-1

DLA-3395-2

GO-2022-0476

MGASA-2021-0018

OPENSUSE-SU-2020:2047-1

OPENSUSE-SU-2020:2067-1

OPENSUSE-SU-2020:2139-1

OPENSUSE-SU-2020_2047-1

OPENSUSE-SU-2020_2067-1

OPENSUSE-SU-2020_2139-1

OPENSUSE-SU-2024:10807-1

OPENSUSE-SU-2024:10808-1

RHSA-2020:5333

RHSA-2020:5493

RHSA-2020_5493

RHSA-2021:0145

SUSE-SU-2020:3368-1

SUSE-SU-2020:3369-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

PT-2020-16999 · Google+4 · Go+4

CVE-2020-28367

Weakness Enumeration

Related Identifiers

Affected Products

References · 68