CVE-2020-28366

Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo

EPSS 2.2%

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Affected products

Go toolchain · cmd/cgo Go toolchain · cmd/go

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://go.dev/cl/269658 https://go.dev/issue/42559 https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292 https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM https://pkg.go.dev/vuln/GO-2022-0475