Unrated severityNVD Advisory· Published Jun 8, 2023· Updated Feb 13, 2025

Code injection via go command with cgo in cmd/go

CVE-2023-29402

Description

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

Affected products

osv-coords36 versions
pkg:apk/chainguard/falco pkg:apk/chainguard/falco-dev pkg:apk/chainguard/falco-src pkg:apk/chainguard/kind pkg:apk/chainguard/policy-controller pkg:apk/chainguard/policy-controller-tester pkg:apk/chainguard/policy-controller-webhook pkg:apk/wolfi/falco pkg:apk/wolfi/falco-dev pkg:apk/wolfi/falco-src pkg:apk/wolfi/kind pkg:apk/wolfi/policy-controller pkg:apk/wolfi/policy-controller-tester pkg:apk/wolfi/policy-controller-webhook pkg:bitnami/golang pkg:rpm/almalinux/delve pkg:rpm/almalinux/golang pkg:rpm/almalinux/golang-bin pkg:rpm/almalinux/golang-docs pkg:rpm/almalinux/golang-misc pkg:rpm/almalinux/golang-race pkg:rpm/almalinux/golang-src pkg:rpm/almalinux/golang-tests pkg:rpm/almalinux/go-toolset pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/go1.19&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/go1.19&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/go1.20&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/go1.20&distro=openSUSE%20Tumbleweed pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5 pkg:rpm/suse/go1.19&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3 pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4 pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5 pkg:rpm/suse/go1.20&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3
< 0.37.1-r0+ 35 more
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.37.1-r0
- (no CPE)range: < 0.21.0-r0
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 0.7.0-r4
- (no CPE)range: < 1.19.10
- (no CPE)range: < 1.9.1-1.module_el8.8.0+3471+a62632a0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-1.module_el8.8.0+3571+89db2ae0
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-1.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-1.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.19.10-150000.1.34.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
- (no CPE)range: < 1.20.5-150000.1.14.1
Go toolchain/cmd/gov5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000