CVE-2020-28367

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-28367
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.1 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://go.dev/cl/267277
https://go.dev/issue/42556
https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561
https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://pkg.go.dev/vuln/GO-2022-0476
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
History

07 Nov 2023, 03:21

Type Values Removed Values Added
References (MISC) https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html - () https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html -
References (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 - Product () https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 -
References (MISC) https://go.dev/issue/42556 - Issue Tracking, Patch, Third Party Advisory () https://go.dev/issue/42556 -
References (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Mailing List, Third Party Advisory () https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM -
References (MISC) https://pkg.go.dev/vuln/GO-2022-0476 - Vendor Advisory () https://pkg.go.dev/vuln/GO-2022-0476 -
References (MISC) https://go.dev/cl/267277 - Product, Release Notes () https://go.dev/cl/267277 -

20 Apr 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html -

03 Mar 2023, 14:36

Type Values Removed Values Added
CWE CWE-88 CWE-94
References (MISC) https://go.dev/cl/267277 - Release Notes, Vendor Advisory (MISC) https://go.dev/cl/267277 - Product, Release Notes
References (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Third Party Advisory (CONFIRM) https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM - Mailing List, Third Party Advisory
References (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 - Third Party Advisory (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 - Product

06 Dec 2022, 21:44

Type Values Removed Values Added
CPE cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
References (MISC) https://go.dev/cl/267277 - (MISC) https://go.dev/cl/267277 - Release Notes, Vendor Advisory
References (MISC) https://pkg.go.dev/vuln/GO-2022-0476 - (MISC) https://pkg.go.dev/vuln/GO-2022-0476 - Vendor Advisory
References (MISC) https://go.dev/issue/42556 - (MISC) https://go.dev/issue/42556 - Issue Tracking, Patch, Third Party Advisory
References (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 - (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 - Third Party Advisory

10 Aug 2022, 20:15

Type Values Removed Values Added
Summary Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection. Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.
References
  • {'url': 'https://github.com/golang/go/issues/42556', 'name': 'https://github.com/golang/go/issues/42556', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/', 'name': 'FEDORA-2020-864922e78a', 'tags': ['Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.apache.org/thread.html/rd02e75766cd333a0df417588460f5e4477060633000bfe94955851fd@%3Cissues.trafficcontrol.apache.org%3E', 'name': '[trafficcontrol-issues] 20201112 [GitHub] [trafficcontrol] zrhoffman opened a new pull request #5278: Update Go version to 1.15.5', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • {'url': 'https://security.gentoo.org/glsa/202208-02', 'name': 'GLSA-202208-02', 'tags': ['Third Party Advisory'], 'refsource': 'GENTOO'}
  • {'url': 'https://security.netapp.com/advisory/ntap-20201202-0004/', 'name': 'https://security.netapp.com/advisory/ntap-20201202-0004/', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/', 'name': 'FEDORA-2020-e971480183', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.debian.org/debian-lts-announce/2020/11/msg00038.html', 'name': '[debian-lts-announce] 20201121 [SECURITY] [DLA 2460-1] golang-1.8 security update', 'tags': ['Third Party Advisory'], 'refsource': 'MLIST'}
  • (MISC) https://pkg.go.dev/vuln/GO-2022-0476 -
  • (MISC) https://go.dev/issue/42556 -
  • (MISC) https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561 -
  • (MISC) https://go.dev/cl/267277 -

06 Aug 2022, 03:47

Type Values Removed Values Added
First Time Netapp trident
Netapp cloud Insights Telegraf Agent
Netapp
CPE cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/ - Mailing List, Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20201202-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20201202-0004/ - Third Party Advisory
References (GENTOO) https://security.gentoo.org/glsa/202208-02 - (GENTOO) https://security.gentoo.org/glsa/202208-02 - Third Party Advisory

04 Aug 2022, 16:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202208-02 -
Information

Published : 2020-11-18 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-28367

Mitre link : CVE-2020-28367

CVE.ORG link : CVE-2020-28367

JSON object : View

Products Affected

golang

  • go
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')