CVE-2023-39320

CRITICAL

GO < 1.21.1 - Code Injection

Title source: rule

Description

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Exploits (1)

nomisec TROJAN 1 stars

by ayrustogaru · poc

https://github.com/ayrustogaru/cve-2023-39320

View Code ZIP pw:eip

References (6)

[Vendor Advisory] https://pkg.go.dev/vuln/GO-2023-2042

[Patch] https://go.dev/cl/526158

[Issue Tracking] https://go.dev/issue/62198

[Release Notes] https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20231020-0004/

[Third Party Advisory] https://security.gentoo.org/glsa/202311-09

Scores

CVSS v3 9.8

EPSS 0.0080

EPSS Percentile 74.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (1)

golang/go 1.21.0 - 1.21.1

Published Sep 08, 2023

Tracked Since Feb 18, 2026