CVE-2021-3115
HIGH7.5EPSS 0.14%Arbitrary code injection via the go command with cgo on Windows in cmd/go
Published: 4/14/2021Modified: 4/28/2026
Description
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Affected packages (3)
- Bitnami/golangfrom 0, < 1.14.14, >= 1.15.0, < 1.15.7
- Debian/golang-1.15from 0, < 1.15.7-1
- Go/toolchainfrom 0, < 1.14.14, >= 1.15.0-0, < 1.15.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
References (13)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3115
- PATCHhttps://go.dev/cl/284780
- PATCHhttps://go.dev/cl/284783
- PATCHhttps://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
- PATCHhttps://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
- REPORThttps://go.dev/issue/43783
- WEBhttps://blog.golang.org/path-security
- WEBhttps://groups.google.com/g/golang-announce/c/mperVMGa98w
- WEBhttps://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-3115
- WEBhttps://security.gentoo.org/glsa/202208-02
- WEBhttps://security.netapp.com/advisory/ntap-20210219-0001/