CVE-2023-39320

Name of the Vulnerable Software and Affected Versions Go versions 1.21 and later

Description The go.mod toolchain directive can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. The issue is related to incorrect code generation management when loading the Go Toolchain. Exploitation of the issue may allow a remote attacker to elevate privileges and execute arbitrary code.

Recommendations For Go version 1.21 and later, consider disabling the toolchain directive in the go.mod file as a temporary workaround until a patch is available. Restrict access to the go.mod file to minimize the risk of exploitation. Avoid using the go.mod toolchain directive in the "go" command until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.