Vulnerability Description
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.14.12 |
| Fedoraproject | Fedora | 32 |
| Netapp | Cloud Insights Telegraf Agent | - |
| Netapp | Trident | - |
Related Weaknesses (CWE)
References
- https://go.dev/cl/269658
- https://go.dev/issue/42559
- https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292
- https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
- https://pkg.go.dev/vuln/GO-2022-0475
- https://go.dev/cl/269658
- https://go.dev/issue/42559
- https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292
- https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
- https://pkg.go.dev/vuln/GO-2022-0475
FAQ
What is CVE-2020-28366?
CVE-2020-28366 is a vulnerability with a CVSS score of 7.5 (HIGH). Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
How severe is CVE-2020-28366?
CVE-2020-28366 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28366?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Fedoraproject Fedora, Netapp Cloud Insights Telegraf Agent, Netapp Trident.