Description
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
References (5)
Core 5
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://groups.google.com/g/golang-announce/c/mperVMGa98w
Vendor Advisory x_refsource_confirm
https://blog.golang.org/path-security
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210219-0001/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-02
Scores
CVSS v3
7.5
EPSS
0.0013
EPSS Percentile
32.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-427
Status
published
Products (4)
fedoraproject/fedora
33
golang/go
< 1.14.14
netapp/cloud_insights_telegraf_agent
netapp/storagegrid
Published
Jan 26, 2021
Tracked Since
Feb 18, 2026