CVE-2023-29404 Report - Details, Severity, & Advisories
Twingate Team
•
Jul 12, 2024
What is CVE-2023-29404?
CVE-2023-29404 is a critical security vulnerability affecting systems using the Go programming language with cgo. With a severity score of 9.8, this vulnerability allows arbitrary code execution at build time when using certain commands on malicious modules or untrusted code. The issue stems from improper sanitization of linker flags in the LDFLAGS directive. Systems impacted include those running Go versions up to 1.19.10 and from 1.20.0 to 1.20.5, as well as Fedora 37 systems using Go.
Who is impacted by this?
The CVE-2023-29404 vulnerability affects users of the Go programming language who run certain commands on malicious modules or untrusted code. This issue is present in Go versions up to 1.19.10 and from 1.20.0 to 1.20.5. Additionally, Fedora 37 systems using Go are also impacted by this vulnerability.
What to do if CVE-2023-29404 affected you
If you're affected by the CVE-2023-29404 vulnerability, it's important to take action to secure your system. Here's a simple step-by-step guide:
Update to the latest Go versions 1.20.5 or 1.19.10. Download and install from the Go website.
If using a Git clone, update to the release with
git checkout go1.20.5
and build as usual.For Fedora 37 users, update to go1.19.12 using the command:
su -c 'dnf upgrade --advisory FEDORA-2023-1819dc9854'
.If affected by the gccgo or GoLLVM issue, wait for the next minor release to fix the problem.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2023-29404 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This issue allows arbitrary code execution at build time when using certain commands on malicious modules or untrusted code. It was added to the National Vulnerability Database on June 8, 2023. There is no specific due date or required action mentioned, but updating to the latest Go versions and applying available patches can help address the vulnerability.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-94, which involves improper control of code generation, leading to code injection.
Learn More
For a comprehensive understanding of the vulnerability, its severity, technical details, and affected software configurations, refer to the NVD page and the sources listed below.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
CVE-2023-29404 Report - Details, Severity, & Advisories
Twingate Team
•
Jul 12, 2024
What is CVE-2023-29404?
CVE-2023-29404 is a critical security vulnerability affecting systems using the Go programming language with cgo. With a severity score of 9.8, this vulnerability allows arbitrary code execution at build time when using certain commands on malicious modules or untrusted code. The issue stems from improper sanitization of linker flags in the LDFLAGS directive. Systems impacted include those running Go versions up to 1.19.10 and from 1.20.0 to 1.20.5, as well as Fedora 37 systems using Go.
Who is impacted by this?
The CVE-2023-29404 vulnerability affects users of the Go programming language who run certain commands on malicious modules or untrusted code. This issue is present in Go versions up to 1.19.10 and from 1.20.0 to 1.20.5. Additionally, Fedora 37 systems using Go are also impacted by this vulnerability.
What to do if CVE-2023-29404 affected you
If you're affected by the CVE-2023-29404 vulnerability, it's important to take action to secure your system. Here's a simple step-by-step guide:
Update to the latest Go versions 1.20.5 or 1.19.10. Download and install from the Go website.
If using a Git clone, update to the release with
git checkout go1.20.5
and build as usual.For Fedora 37 users, update to go1.19.12 using the command:
su -c 'dnf upgrade --advisory FEDORA-2023-1819dc9854'
.If affected by the gccgo or GoLLVM issue, wait for the next minor release to fix the problem.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2023-29404 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This issue allows arbitrary code execution at build time when using certain commands on malicious modules or untrusted code. It was added to the National Vulnerability Database on June 8, 2023. There is no specific due date or required action mentioned, but updating to the latest Go versions and applying available patches can help address the vulnerability.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-94, which involves improper control of code generation, leading to code injection.
Learn More
For a comprehensive understanding of the vulnerability, its severity, technical details, and affected software configurations, refer to the NVD page and the sources listed below.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
CVE-2023-29404 Report - Details, Severity, & Advisories
Twingate Team
•
Jul 12, 2024
What is CVE-2023-29404?
CVE-2023-29404 is a critical security vulnerability affecting systems using the Go programming language with cgo. With a severity score of 9.8, this vulnerability allows arbitrary code execution at build time when using certain commands on malicious modules or untrusted code. The issue stems from improper sanitization of linker flags in the LDFLAGS directive. Systems impacted include those running Go versions up to 1.19.10 and from 1.20.0 to 1.20.5, as well as Fedora 37 systems using Go.
Who is impacted by this?
The CVE-2023-29404 vulnerability affects users of the Go programming language who run certain commands on malicious modules or untrusted code. This issue is present in Go versions up to 1.19.10 and from 1.20.0 to 1.20.5. Additionally, Fedora 37 systems using Go are also impacted by this vulnerability.
What to do if CVE-2023-29404 affected you
If you're affected by the CVE-2023-29404 vulnerability, it's important to take action to secure your system. Here's a simple step-by-step guide:
Update to the latest Go versions 1.20.5 or 1.19.10. Download and install from the Go website.
If using a Git clone, update to the release with
git checkout go1.20.5
and build as usual.For Fedora 37 users, update to go1.19.12 using the command:
su -c 'dnf upgrade --advisory FEDORA-2023-1819dc9854'
.If affected by the gccgo or GoLLVM issue, wait for the next minor release to fix the problem.
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2023-29404 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This issue allows arbitrary code execution at build time when using certain commands on malicious modules or untrusted code. It was added to the National Vulnerability Database on June 8, 2023. There is no specific due date or required action mentioned, but updating to the latest Go versions and applying available patches can help address the vulnerability.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-94, which involves improper control of code generation, leading to code injection.
Learn More
For a comprehensive understanding of the vulnerability, its severity, technical details, and affected software configurations, refer to the NVD page and the sources listed below.
Solutions
Solutions
The VPN replacement your workforce will love.
Solutions