#VU81964 Input validation error in Go programming language - CVE-2023-39323


Vulnerability identifier: #VU81964

Vulnerability risk: Medium

CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-39323

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when processing line directives (e.g. "//line") in the code. A remote attacker can bypass restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build".

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.20 - 1.21.1

External links
https://pkg.go.dev/vuln/GO-2023-2095
https://groups.google.com/g/golang-announce/c/XBa1oHDevAo
https://go.dev/cl/533215
https://go.dev/issue/63211

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Amazon Linux AMI update for ecs-service-connect-agent
Amazon Linux AMI update for golang
Ubuntu update for golang-1.18
Ubuntu update for golang-1.17
Splunk Enterprise update for third-party components
Multiple vulnerabilities in Storage Protect Plus Server
Multiple vulnerabilities in IBM Robotic Process Automation
Multiple vulnerabilities in Dell ObjectScale
Multiple vulnerabilities in IBM Storage Protect Server
Multiple vulnerabilities in IBM Planning Analytics Workspace