CVE-2021-3115
HIGH7.5EPSS 0.14%Arbitrary code injection via the go command with cgo on Windows in cmd/go
發布日:2021/4/14修改日:2026/4/28
描述
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
受影響套件(3)
- Bitnami/golangfrom 0, < 1.14.14, >= 1.15.0, < 1.15.7
- Debian/golang-1.15from 0, < 1.15.7-1
- Go/toolchainfrom 0, < 1.14.14, >= 1.15.0-0, < 1.15.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
參考連結(13)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3115
- PATCHhttps://go.dev/cl/284780
- PATCHhttps://go.dev/cl/284783
- PATCHhttps://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0
- PATCHhttps://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
- REPORThttps://go.dev/issue/43783
- WEBhttps://blog.golang.org/path-security
- WEBhttps://groups.google.com/g/golang-announce/c/mperVMGa98w
- WEBhttps://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-3115
- WEBhttps://security.gentoo.org/glsa/202208-02
- WEBhttps://security.netapp.com/advisory/ntap-20210219-0001/