CVE-2023-29405

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Jun 8, 2023 / Updated: 17mo ago

010
CVSS 9.8EPSS 0.05%Critical
CVE info copied to clipboard

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-29405. See article

May 19, 2023 at 6:50 PM / github.com
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (907499)

Nov 16, 2023 at 3:04 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (186294)

Nov 27, 2023 at 12:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6021364)

Oct 10, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208702)

Oct 10, 2024 at 11:16 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (912082)

Nov 14, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6021444)

Nov 14, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (210950)

Nov 15, 2024 at 12:15 AM
Static CVE Timeline Graph

Affected Systems

Golang/go
+null more

Patches

Oracle
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-137: Parameter Injection
+null more

Vendor Advisory

Oracle Linux Bulletin - July 2023
Component : linux-firmware Component : linux-firmware

References

golang-1.19.12-1.fc37
FEDORA-2023-1819dc9854 Packages in this update: golang-1.19.12-1.fc37 Update description: This update includes a security fix to the crypto/tls package, as well as bug fixes to the assembler and the compiler. This update includes a security fix to the net/http package, as well as bug fixes to the compiler, cgo, the cover tool, the go command, the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template packages.

News

ubuntu_linux USN-7109-1: Ubuntu 16.04 LTS / Ubuntu 18.04 LTS / Ubuntu 20.04 LTS / Ubuntu 22.04 LTS : Go vulnerabilities (USN-7109-1)
Development Last Updated: 11/14/2024 CVEs: CVE-2023-29403 , CVE-2023-29402 , CVE-2023-39319 , CVE-2023-29405 , CVE-2024-24784 , CVE-2024-24789 , CVE-2023-45290 , CVE-2024-34158 , CVE-2023-29404 , CVE-2023-24536 , CVE-2023-45288 , CVE-2024-34156 , CVE-2024-24790 , CVE-2024-24785 , CVE-2023-39318 , CVE-2022-41723 , CVE-2024-34155 , CVE-2023-39325 , CVE-2022-41725 , CVE-2023-24531 , CVE-2022-41724 , CVE-2024-24783 , CVE-2024-24791 , CVE-2023-39323 , CVE-2023-29406
USN-7109-1: Go vulnerabilities
(CVE-2023-24536) Juho Nurminen discovered that Go incorrectly handled certain special characters in directory or file paths. (CVE-2023-29403) Juho Nurminen discovered that Go incorrectly handled certain compiler directives.
EDK II, Kernel, Go, libgsf updates for Ubuntu
remote attacker could possibly use this issue to cause EDK II to consume A remote attacker could use this issue to cause EDK II to
Anthos GKE - Google Distributed Cloud (software only) for VMware 1.30.200-gke.101 is now available for download
## Fix The following issues are fixed in 1.30.200-gke.101: * Fixed the [known issue](https://cloud.google.com/kubernetes-engine/distributed-cloud/vmware/docs/troubleshooting/known-issues#migrating-a-user-cluster-to-controlplane-v2-fails-if-secrets-encryption-has-ever-been-enabled) that caused migrating a user cluster to Controlplane V2 to fail if secrets encryption had ever been enabled. * Fixed the [known issue](https://cloud.google.com/kubernetes-engine/distributed-cloud/vmware/docs/troubleshooting/known-issues#migrating-an-admin-cluster-from-non-ha-to-ha-fails-if-secrets-encryption-is-enabled) that caused migrating an admin cluster from non-HA to HA to fail if secret encryption was enabled.
October 10, 2024
Fixed the known issue that caused migrating a user cluster to Controlplane V2 to fail if secrets encryption had ever been enabled. Fixed the known issue that caused migrating an admin cluster from non-HA to HA to fail if secret encryption was enabled.
See 143 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI