CVE-2023-29402

Code injection via go command with cgo in cmd/go

Description

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

References

Link	Tags
https://go.dev/issue/60167	issue tracking
https://go.dev/cl/501226	patch
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ	release notes mailing list
https://pkg.go.dev/vuln/GO-2023-1839	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/	mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20241213-0004/

Frequently Asked Questions

What is the severity of CVE-2023-29402?: CVE-2023-29402 has been scored as a critical severity vulnerability.
How to fix CVE-2023-29402?: To fix CVE-2023-29402, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-29402 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-29402 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-29402?: CVE-2023-29402 affects Go toolchain cmd/go.

Description

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions