/

CVE-2023-29405 Report - Details, Severity, & Advisorie...

CVE-2023-29405 Report - Details, Severity, & Advisories

Twingate Team

Jul 4, 2024

What is CVE-2023-29405?

CVE-2023-29405 is a critical vulnerability (severity score of 9.8) in systems using the Go programming language with cgo and LDFLAGS. It allows arbitrary code execution at build time when running "go get" on a malicious module or any command that builds untrusted code. Systems using the gccgo compiler with Go command and cgo, including specific versions of golang and Fedora Project: Fedora 38, are particularly affected. Users must update their systems to mitigate this security risk.

Who is impacted by this?

CVE-2023-29405 affects users of the Go programming language who use the go command with cgo and the gccgo compiler. Specifically, it impacts Go versions up to 1.19.10 (excluding) and from 1.20.0 (including) up to 1.20.5 (excluding), as well as Fedora 38. This vulnerability may lead to arbitrary code execution at build time when using cgo and building untrusted code.

What to do if CVE-2023-29405 affected you

If you're affected by the CVE-2023-29405 vulnerability, it's crucial to update your Go programming language version to mitigate the security risk. Follow these steps:

  1. Check your Go version by running go version in your terminal.

  2. If your version is affected, update to Go 1.19.10 or 1.20.5, depending on your current version. Visit the Go download page for the latest release.

  3. For Fedora 38 users, apply the Fedora 37 Update for golang-1.19.12-1.fc37.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-29405 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This critical vulnerability affects systems using the Go programming language with cgo and LDFLAGS, and may allow arbitrary code execution at build time. To mitigate the security risk, users should update their Go version to 1.19.10 or 1.20.5, or apply the relevant patches to their Go installations.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-74, which involves improper neutralization of special elements in output used by a downstream component ('Injection').

Learn More

For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and affected software configurations, refer to the NVD page or the sources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

/

CVE-2023-29405 Report - Details, Severity, & Advisorie...

CVE-2023-29405 Report - Details, Severity, & Advisories

Twingate Team

Jul 4, 2024

What is CVE-2023-29405?

CVE-2023-29405 is a critical vulnerability (severity score of 9.8) in systems using the Go programming language with cgo and LDFLAGS. It allows arbitrary code execution at build time when running "go get" on a malicious module or any command that builds untrusted code. Systems using the gccgo compiler with Go command and cgo, including specific versions of golang and Fedora Project: Fedora 38, are particularly affected. Users must update their systems to mitigate this security risk.

Who is impacted by this?

CVE-2023-29405 affects users of the Go programming language who use the go command with cgo and the gccgo compiler. Specifically, it impacts Go versions up to 1.19.10 (excluding) and from 1.20.0 (including) up to 1.20.5 (excluding), as well as Fedora 38. This vulnerability may lead to arbitrary code execution at build time when using cgo and building untrusted code.

What to do if CVE-2023-29405 affected you

If you're affected by the CVE-2023-29405 vulnerability, it's crucial to update your Go programming language version to mitigate the security risk. Follow these steps:

  1. Check your Go version by running go version in your terminal.

  2. If your version is affected, update to Go 1.19.10 or 1.20.5, depending on your current version. Visit the Go download page for the latest release.

  3. For Fedora 38 users, apply the Fedora 37 Update for golang-1.19.12-1.fc37.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-29405 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This critical vulnerability affects systems using the Go programming language with cgo and LDFLAGS, and may allow arbitrary code execution at build time. To mitigate the security risk, users should update their Go version to 1.19.10 or 1.20.5, or apply the relevant patches to their Go installations.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-74, which involves improper neutralization of special elements in output used by a downstream component ('Injection').

Learn More

For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and affected software configurations, refer to the NVD page or the sources listed below.

Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.

CVE-2023-29405 Report - Details, Severity, & Advisories

Twingate Team

Jul 4, 2024

What is CVE-2023-29405?

CVE-2023-29405 is a critical vulnerability (severity score of 9.8) in systems using the Go programming language with cgo and LDFLAGS. It allows arbitrary code execution at build time when running "go get" on a malicious module or any command that builds untrusted code. Systems using the gccgo compiler with Go command and cgo, including specific versions of golang and Fedora Project: Fedora 38, are particularly affected. Users must update their systems to mitigate this security risk.

Who is impacted by this?

CVE-2023-29405 affects users of the Go programming language who use the go command with cgo and the gccgo compiler. Specifically, it impacts Go versions up to 1.19.10 (excluding) and from 1.20.0 (including) up to 1.20.5 (excluding), as well as Fedora 38. This vulnerability may lead to arbitrary code execution at build time when using cgo and building untrusted code.

What to do if CVE-2023-29405 affected you

If you're affected by the CVE-2023-29405 vulnerability, it's crucial to update your Go programming language version to mitigate the security risk. Follow these steps:

  1. Check your Go version by running go version in your terminal.

  2. If your version is affected, update to Go 1.19.10 or 1.20.5, depending on your current version. Visit the Go download page for the latest release.

  3. For Fedora 38 users, apply the Fedora 37 Update for golang-1.19.12-1.fc37.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-29405 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. This critical vulnerability affects systems using the Go programming language with cgo and LDFLAGS, and may allow arbitrary code execution at build time. To mitigate the security risk, users should update their Go version to 1.19.10 or 1.20.5, or apply the relevant patches to their Go installations.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-74, which involves improper neutralization of special elements in output used by a downstream component ('Injection').

Learn More

For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and affected software configurations, refer to the NVD page or the sources listed below.