GO-2023-2042

See a problem?

Source

https://pkg.go.dev/vuln/GO-2023-2042

Import Source

https://vuln.go.dev/ID/GO-2023-2042.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-2042

Aliases

Published

2023-09-07T16:11:28Z

Modified

2024-05-20T16:03:47Z

Summary

Arbitrary code execution via go.mod toolchain directive in cmd/go

Details

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

References

Credits

- Juho Nurminen of Mattermost

Affected packages

Go / toolchain

Package

Name: toolchain; View open source insights on deps.dev
Purl: pkg:golang/toolchain

Affected ranges

Type: SEMVER
Events: Introduced

1.21.0-0

Fixed

1.21.1

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go"
        }
    ]
}