Vulnerability Report: GO-2023-2042

CVE-2023-39320
Affects: cmd/go
Published: Sep 07, 2023

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Affected Packages

Path

Versions

Symbols
cmd/go

from go1.21.0-0 before go1.21.1

all symbols

Aliases

CVE-2023-39320

References

https://go.dev/issue/62198
https://go.dev/cl/526158
https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
https://vuln.go.dev/ID/GO-2023-2042.json

Credits

Juho Nurminen of Mattermost

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL