CVE-2021-3115

HIGH

GO < 1.14.14 - Uncontrolled Search Path

Title source: rule

Description

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

References (5)

[Vendor Advisory] https://blog.golang.org/path-security

[Release Notes, Third Party Advisory] https://groups.google.com/g/golang-announce/c/mperVMGa98w

[Third Party Advisory] https://security.gentoo.org/glsa/202208-02

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210219-0001/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/

Scores

CVSS v3 7.5

EPSS 0.0013

EPSS Percentile 32.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-427

Status published

Affected Products (4)

golang/go < 1.14.14

fedoraproject/fedora

netapp/cloud_insights_telegraf_agent

netapp/storagegrid

Timeline

Published Jan 26, 2021

Tracked Since Feb 18, 2026