Unrated severityNVD Advisory· Published Sep 8, 2023· Updated Feb 13, 2025
Arbitrary code execution via go.mod toolchain directive in cmd/go
CVE-2023-39320
Description
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
21- osv-coords20 versionspkg:apk/chainguard/metrics-serverpkg:apk/chainguard/metrics-server-bitnami-compatpkg:apk/chainguard/metrics-server-compatpkg:apk/chainguard/metrics-server-iamguarded-compatpkg:apk/wolfi/metrics-serverpkg:apk/wolfi/metrics-server-bitnami-compatpkg:apk/wolfi/metrics-server-compatpkg:apk/wolfi/metrics-server-iamguarded-compatpkg:bitnami/golangpkg:rpm/opensuse/go1.21&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.21&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/go1.21&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.21-openssl&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/go1.21-openssl&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/go1.21&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.21&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/go1.21&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/go1.21-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/go1.21-openssl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/go&distro=SUSE%20Package%20Hub%2012
< 0.6.4-r1+ 19 more
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: < 0.6.4-r1
- (no CPE)range: >= 1.21.0, < 1.21.1
- (no CPE)range: < 1.21.1-150000.1.6.1
- (no CPE)range: < 1.21.1-150000.1.6.1
- (no CPE)range: < 1.21.1-1.1
- (no CPE)range: < 1.21.4.1-150000.1.5.1
- (no CPE)range: < 1.21.4.1-150000.1.5.1
- (no CPE)range: < 1.21.1-150000.1.6.1
- (no CPE)range: < 1.21.1-150000.1.6.1
- (no CPE)range: < 1.21.3-2.1
- (no CPE)range: < 1.21.4.1-150000.1.5.1
- (no CPE)range: < 1.21.4.1-150000.1.5.1
- (no CPE)range: < 1.21-41.1
- Go toolchain/cmd/gov5Range: 1.21.0-0
Patches
Vulnerability mechanics
References
6News mentions
0No linked articles in our index yet.