Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
References
Link | Resource |
---|---|
https://blog.golang.org/path-security | Vendor Advisory |
https://groups.google.com/g/golang-announce/c/mperVMGa98w | Release Notes Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/ | |
https://security.gentoo.org/glsa/202208-02 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20210219-0001/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:37
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2021-01-26 18:16
Updated : 2024-02-28 18:08
NVD link : CVE-2021-3115
Mitre link : CVE-2021-3115
CVE.ORG link : CVE-2021-3115
JSON object : View
Products Affected
netapp
- cloud_insights_telegraf_agent
- storagegrid
golang
- go
microsoft
- windows
fedoraproject
- fedora
CWE
CWE-427
Uncontrolled Search Path Element