PT-2021-2196 · Google+6 · Go+6

Ryotak

·

Published

2021-01-20

·

Updated

2024-06-15

·

CVE-2021-3115

CVSS v2.0

7.6

High

VectorAV:N/AC:H/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.14.14 Go versions 1.15.x prior to 1.15.7
Description: The issue is related to the incorrect management of code generation in the Go programming language, specifically with the use of the go get command to fetch modules that utilize cgo. This can lead to command injection and remote code execution, allowing a remote attacker to execute arbitrary code. The vulnerability is triggered when the go get command is used to fetch malicious modules or when the code is built, potentially executing a gcc program from an untrusted download.
Recommendations: For Go versions prior to 1.14.14, update to version 1.14.14 or later to resolve the issue. For Go versions 1.15.x prior to 1.15.7, update to version 1.15.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the go get command with cgo until a patch is applied.

Fix

RCE

Code Injection

Uncontrolled Search Path Element

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-427

Related Identifiers

ALT-PU-2021-1090
ALT-PU-2021-1111
ALT-PU-2021-1138
ALT-PU-2021-1456
ALT-PU-2021-1941
AZL-38572
BDU:2021-01105
BIT-GOLANG-2021-3115
CESA-2021_1746
CVE-2021-3115
GO-2021-0068
OPENSUSE-SU-2021:0190-1
OPENSUSE-SU-2021:0192-1
OPENSUSE-SU-2021:0194-1
OPENSUSE-SU-2021_0190-1
OPENSUSE-SU-2021_0192-1
OPENSUSE-SU-2021_0194-1
OPENSUSE-SU-2024:10807-1
OPENSUSE-SU-2024:10808-1
RHSA-2021:1339
RHSA-2021:1746
RHSA-2021:2095
RHSA-2021_1746
RLSA-2021:1746
SUSE-SU-2021:0222-1
SUSE-SU-2021:0223-1

Affected Products

Alt Linux
Astra Linux
Centos
Go
Red Hat
Rocky Linux
Suse