{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39323", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2023-07-27T17:05:55.188Z", "datePublished": "2023-10-05T20:36:58.756Z", "dateUpdated": "2025-06-12T15:15:12.065Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-11-25T11:09:58.922Z"}, "title": "Arbitrary code execution during build via line directives in cmd/go", "descriptions": [{"lang": "en", "value": "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "0", "lessThan": "1.20.9", "status": "affected", "versionType": "semver"}, {"version": "1.21.0-0", "lessThan": "1.21.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 94: Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://go.dev/issue/63211"}, {"url": "https://go.dev/cl/533215"}, {"url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2095"}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0001/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"}, {"url": "https://security.gentoo.org/glsa/202311-09"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.899Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/63211", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/533215", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-2095", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0001/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-09", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-12T15:14:25.966284Z", "id": "CVE-2023-39323", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-12T15:15:12.065Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/63211", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/533215", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2023-2095", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0001/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202311-09", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:02:06.899Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-39323", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-12T15:14:25.966284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-12T15:15:03.844Z"}}], "cna": {"title": "Arbitrary code execution during build via line directives in cmd/go", "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "versions": [{"status": "affected", "version": "0", "lessThan": "1.20.9", "versionType": "semver"}, {"status": "affected", "version": "1.21.0-0", "lessThan": "1.21.2", "versionType": "semver"}], "packageName": "cmd/go", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/issue/63211"}, {"url": "https://go.dev/cl/533215"}, {"url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"}, {"url": "https://pkg.go.dev/vuln/GO-2023-2095"}, {"url": "https://security.netapp.com/advisory/ntap-20231020-0001/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"}, {"url": "https://security.gentoo.org/glsa/202311-09"}], "descriptions": [{"lang": "en", "value": "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-11-25T11:09:58.922Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39323", "state": "PUBLISHED", "dateUpdated": "2025-06-12T15:15:12.065Z", "dateReserved": "2023-07-27T17:05:55.188Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2023-10-05T20:36:58.756Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "84851C3D-3035-457E-96D9-48E219817D58", "versionEndExcluding": "1.20.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "7381A279-81EB-48D9-8065-C733FA8736B8", "versionEndExcluding": "1.21.2", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex."}, {"lang": "es", "value": "Las directivas de l\u00ednea (\"//line\") se pueden utilizar para evitar las restricciones de las directivas \"//go:cgo_\", permitiendo que se pasen indicadores bloqueados del enlazador y del compilador durante la compilaci\u00f3n. Esto puede provocar la ejecuci\u00f3n inesperada de c\u00f3digo arbitrario al ejecutar \"go build\". La directiva de l\u00ednea requiere la ruta absoluta del archivo en el que se encuentra la directiva, lo que hace que explotar este problema sea significativamente m\u00e1s complejo."}], "id": "CVE-2023-39323", "lastModified": "2025-06-12T16:15:20.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-10-05T21:15:11.283", "references": [{"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/533215"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Patch"], "url": "https://go.dev/issue/63211"}, {"source": "security@golang.org", "tags": ["Mailing List", "Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"}, {"source": "security@golang.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"}, {"source": "security@golang.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"}, {"source": "security@golang.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2095"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202311-09"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231020-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://go.dev/cl/533215"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://go.dev/issue/63211"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/XBa1oHDevAo"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2023-2095"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202311-09"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231020-0001/"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2023:6928", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8090020231013032436.26eb71ac", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHEA-2023:7311", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "rhel8/go-toolset:1.20.10-3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-16T00:00:00Z"}, {"advisory": "RHEA-2023:7311", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ubi8/go-toolset:1.20.10-3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-16T00:00:00Z"}], "bugzilla": {"description": "golang: cmd/go: line directives allows arbitrary execution during build", "id": "2242544", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242544"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-94", "details": ["Line directives (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.", "A flaw was found in the golang cmd/go standard library. A line directive (\"//line\") can be used to bypass the restrictions on \"//go:cgo_\" directives, allowing blocked linker and compiler flags to pass during compilation. This can result in the unexpected execution of arbitrary code when running \"go build\". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex."], "name": "CVE-2023-39323", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "go-toolset-7-golang", "product_name": "Red Hat Storage 3"}], "public_date": "2023-10-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-39323\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39323\nhttps://go.dev/cl/533215\nhttps://go.dev/issue/63211\nhttps://groups.google.com/g/golang-announce/c/XBa1oHDevAo\nhttps://vuln.go.dev/ID/GO-2023-2095.json"], "statement": "This attack requires knowledge of the absolute path to the file containing the malicious directive, which significantly limits its feasibility for external attackers unless they already have local access or detailed knowledge of the system's layout. To exploit the vulnerability, an attacker must also convince a developer to download and build a malicious Go module\u2014an action typically constrained by trusted workflows and package verification.\nImportantly, this vulnerability does not impact running applications. Instead, it targets the development process, specifically developers or CI/CD pipelines during the build phase, further narrowing its scope.\nAs a result, this issue has been rated Moderate due to the multiple complex and unlikely prerequisites required for a successful exploit.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform leverages a web application firewall (WAF) to filter and block malicious input before it reaches the application. It applies managed and custom rule sets to detect suspicious patterns such as embedded scripting functions and remote code execution attempts. By enforcing strict input validation and preventing unauthorized execution of user-supplied code, the WAF reduces the risk of exploitation. Additional protections like rate limiting and bot mitigation help prevent automated injection attacks, while integration with logging, monitoring, and threat detection systems enhances visibility and response capabilities. Through real-time monitoring and automated blocking, the WAF provides a strong layer of defense against code injection vulnerabilities, lowering the likelihood of successful exploitation.", "threat_severity": "Moderate"}