CVE-2021-3115

Description

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 5.1AV:N/AC:H/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.14%• Percentile: 33%

Techniques & Countermeasures

• CWE-427•Uncontrolled Search Path Element

  The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Affected Systems

• fedoraproject•fedora

  33

• golang•go

  < 1.14.14 | ≥ 1.15, < 1.15.7

• Go•toolchain

  ≥ 1.15.0-0, < 1.15.7

• netapp•cloud_insights_telegraf_agent

  na

• netapp•storagegrid

  na

References (11)

• https://groups.google.com/g/golang-announce/c/mperVMGa98w
• https://blog.golang.org/path-security
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
• https://security.netapp.com/advisory/ntap-20210219-0001/
• https://security.gentoo.org/glsa/202208-02
• https://go.dev/cl/284783
• https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0
• https://go.dev/issue/43783
• https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ
• https://go.dev/cl/284780
• https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0