CVE-2023-39320

Published: September 8, 2023Last modified: October 1, 2025

Description

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Severity score breakdown

ParameterValue
Base score9.8
Attack VectorNETWORK
Attack complexityLOW
Privileges requiredNONE
User interactionNONE
ScopeUNCHANGED
ConfidentialityHIGH
Integrity impactHIGH
Availability impactHIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSgoFixed (1.21.7-r0)
StreamgoNot affected (1.21.1-r0)
Hardened Containers23 LTSgoFixed (1.21.7-r0)
StreamgoNot affected (1.21.1-r0)

References

ON THIS PAGE