Fluid Attacks Database

Description

Arbitrary code execution during build on Darwin in cmd/go On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	toolchain	>=0 <1.21.10	1.21.10

Aliases

1. CVE-2024-247872. NVD-2024-247873. OSV-GO-2024-28254. OSV-2024-247875. GCVE-2024-24787

References

1. https://go.dev/issue/671192. https://go.dev/cl/5838153. https://groups.google.com/g/golang-announce/c/wkkO4P9stm04. https://github.com/LOURC0D3/CVE-2024-24787-PoC

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.