1. Home
  2. CVE Database
  3. CVE-2023-29404
CRITICAL · 9.8

CVE-2023-29404

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This ...

Vulnerability Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
GolangGo< 1.19.10
FedoraprojectFedora38

Related Weaknesses (CWE)

CWE-94

References

FAQ

What is CVE-2023-29404?

CVE-2023-29404 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This ...

How severe is CVE-2023-29404?

CVE-2023-29404 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-29404?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Fedoraproject Fedora.