CVE-2020-28366

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-28366
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.1 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://go.dev/cl/269658
https://go.dev/issue/42559
https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
https://pkg.go.dev/vuln/GO-2022-0475
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*
History

07 Nov 2023, 03:21

Type Values Removed Values Added
References (MISC) https://go.dev/cl/269658 - Patch, Vendor Advisory () https://go.dev/cl/269658 -
References (MISC) https://go.dev/issue/42559 - Issue Tracking, Patch, Vendor Advisory () https://go.dev/issue/42559 -
References (MISC) https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 - Mailing List, Patch () https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 -
References (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Mailing List, Release Notes, Third Party Advisory () https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM -
References (MISC) https://pkg.go.dev/vuln/GO-2022-0475 - Vendor Advisory () https://pkg.go.dev/vuln/GO-2022-0475 -

28 Feb 2023, 14:52

Type Values Removed Values Added
References (MISC) https://pkg.go.dev/vuln/GO-2022-0475 - (MISC) https://pkg.go.dev/vuln/GO-2022-0475 - Vendor Advisory
References (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Release Notes, Third Party Advisory (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Mailing List, Release Notes, Third Party Advisory
References (MISC) https://go.dev/cl/269658 - (MISC) https://go.dev/cl/269658 - Patch, Vendor Advisory
References (MISC) https://go.dev/issue/42559 - (MISC) https://go.dev/issue/42559 - Issue Tracking, Patch, Vendor Advisory
References (MISC) https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 - (MISC) https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 - Mailing List, Patch

29 Dec 2022, 18:15

Type Values Removed Values Added
References
  • {'url': 'https://security.gentoo.org/glsa/202208-02', 'name': 'GLSA-202208-02', 'tags': ['Third Party Advisory'], 'refsource': 'GENTOO'}
  • {'url': 'https://lists.apache.org/thread.html/rd02e75766cd333a0df417588460f5e4477060633000bfe94955851fd@%3Cissues.trafficcontrol.apache.org%3E', 'name': '[trafficcontrol-issues] 20201112 [GitHub] [trafficcontrol] zrhoffman opened a new pull request #5278: Update Go version to 1.15.5', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://github.com/golang/go/issues/42559', 'name': 'https://github.com/golang/go/issues/42559', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20201202-0004/', 'name': 'https://security.netapp.com/advisory/ntap-20201202-0004/', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/', 'name': 'FEDORA-2020-864922e78a', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/', 'name': 'FEDORA-2020-e971480183', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • (MISC) https://go.dev/cl/269658 -
  • (MISC) https://go.dev/issue/42559 -
  • (MISC) https://pkg.go.dev/vuln/GO-2022-0475 -
  • (MISC) https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 -
Summary Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

06 Aug 2022, 03:47

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*
First Time Netapp cloud Insights Telegraf Agent
Netapp
Netapp trident
References (CONFIRM) https://security.netapp.com/advisory/ntap-20201202-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20201202-0004/ - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/ - Mailing List, Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202208-02 - (GENTOO) https://security.gentoo.org/glsa/202208-02 - Third Party Advisory

04 Aug 2022, 16:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202208-02 -
Information

Published : 2020-11-18 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-28366

Mitre link : CVE-2020-28366

CVE.ORG link : CVE-2020-28366

JSON object : View

Products Affected

golang

  • go

fedoraproject

  • fedora

netapp

  • trident
  • cloud_insights_telegraf_agent
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')