Go gccgo LDFLAGS Smuggling Cmd Exec in Build Time
CVE-2023-29405 Published on June 8, 2023
Improper sanitization of LDFLAGS with embedded spaces in go command with cgo in cmd/go
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Vulnerability Analysis
CVE-2023-29405 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Products Associated with CVE-2023-29405
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-29405 are published in these products:
Affected Versions
Go toolchain cmd/go:- Before 1.19.10 is affected.
- Version 1.20.0-0 and below 1.20.5 is affected.
- Before 1.19.10 is affected.
- Version 1.20.0-0 and below 1.20.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.