1. Home
  2. CVE Database
  3. CVE-2023-29405
CRITICAL · 9.8

CVE-2023-29405

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This ...

Vulnerability Description

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
GolangGo< 1.19.10
FedoraprojectFedora38

Related Weaknesses (CWE)

CWE-74

References

FAQ

What is CVE-2023-29405?

CVE-2023-29405 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This ...

How severe is CVE-2023-29405?

CVE-2023-29405 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-29405?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Fedoraproject Fedora.