Description
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
References (5)
Core 5
Core References
Various Sources
https://go.dev/cl/269658
Various Sources
https://pkg.go.dev/vuln/GO-2022-0475
Issue Tracking
https://go.dev/issue/42559
Scores
CVSS v3
7.5
EPSS
0.0017
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (5)
fedoraproject/fedora
32
fedoraproject/fedora
33
golang/go
< 1.14.12
netapp/cloud_insights_telegraf_agent
netapp/trident
Published
Nov 18, 2020
Tracked Since
Feb 18, 2026