Fluid Attacks Database

Description

Arbitrary code execution via go.mod toolchain directive in cmd/go The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	toolchain	>=1.21.0-0 <1.21.1	1.21.1

Aliases

1. CVE-2023-393202. NVD-2023-393203. OSV-GO-2023-20424. OSV-2023-393205. GCVE-2023-39320

References

1. https://go.dev/issue/621982. https://go.dev/cl/5261583. https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ4. https://github.com/ayrustogaru/cve-2023-39320

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.