Vulnerability Description
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.14.14 |
| Microsoft | Windows | - |
| Fedoraproject | Fedora | 33 |
| Netapp | Cloud Insights Telegraf Agent | - |
| Netapp | Storagegrid | - |
Related Weaknesses (CWE)
References
- https://blog.golang.org/path-securityVendor Advisory
- https://groups.google.com/g/golang-announce/c/mperVMGa98wRelease NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202208-02Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210219-0001/Third Party Advisory
- https://blog.golang.org/path-securityVendor Advisory
- https://groups.google.com/g/golang-announce/c/mperVMGa98wRelease NotesThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202208-02Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210219-0001/Third Party Advisory
FAQ
What is CVE-2021-3115?
CVE-2021-3115 is a vulnerability with a CVSS score of 7.5 (HIGH). Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, c...
How severe is CVE-2021-3115?
CVE-2021-3115 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3115?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Microsoft Windows, Fedoraproject Fedora, Netapp Cloud Insights Telegraf Agent, Netapp Storagegrid.