UBUNTU-CVE-2023-39320
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 08 Sept 2023, 17:15
Last modified:16 Jul 2025, 07:20
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
08 Sept 2023, 17:15
Published
Vulnerability first disclosed
16 Jul 2025, 07:20
Last Modified
Vulnerability information updated
Description
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Systems
- ubuntu•golang-1.21
< 1.21.1-1~ubuntu20.04.1 | < 1.21.1-1~ubuntu22.04.1 | < 1.21.5-1
References (8)
- https://ubuntu.com/security/CVE-2023-39320
- https://go.dev/issue/62198
- https://github.com/golang/go/commit/d25a935574efd573668d8ce9ea4cfc530bb63ecb
- https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
- https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
- https://go.dev/cl/526158
- https://pkg.go.dev/vuln/GO-2023-2042
- https://www.cve.org/CVERecord?id=CVE-2023-39320