CVE-2021-3115 Information

Description

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \go get\ command to fetch modules that make use of cgo (for example cgo can execute a gcc program from an untrusted download).

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://blog.golang.org/path-security https://groups.google.com/g/golang-announce/c/mperVMGa98w https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/ https://security.netapp.com/advisory/ntap-20210219-0001/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.5