CVE-2020-28366

Published: Nov 18, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Vendor	Product	Versions
Go toolchain	cmd/go	affected `0 - < 1.14.12` affected `1.15.0-0 - < 1.15.5`
Go toolchain	cmd/cgo	affected `0 - < 1.14.12` affected `1.15.0-0 - < 1.15.5`

References

https://go.dev/cl/269658

https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292

https://go.dev/issue/42559

https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM

https://pkg.go.dev/vuln/GO-2022-0475

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-28366

Description

Affected Products

References