CVE-2021-3115: 
NixOS vulnerability analysis and mitigation

CVE-2021-3115 affects Go versions before 1.14.14 and 1.15.x before 1.15.7 on Windows systems. The vulnerability involves command injection and remote code execution when using the "go get" command to fetch modules that make use of cgo. The issue was discovered in January 2021 and was fixed with the release of Go 1.14.14 and 1.15.7 (Golang Blog, Golang Announce).

The vulnerability stems from how the Go command handles PATH lookups during cgo operations. When building packages that use cgo, the compiler executes in the package source directory, which can lead to executing malicious gcc.exe files from the current directory instead of the system gcc compiler. This occurs due to Windows' behavior of always searching the current directory first for executables, regardless of PATH settings. The vulnerability has a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to arbitrary code execution during the build process when using the "go get" command or any other command that builds code. While primarily affecting Windows users, Unix users who have "." listed explicitly in their PATH and are running "go get" or build commands outside of a module or with module mode disabled are also vulnerable (Golang Blog).

The issue has been fixed in Go versions 1.14.14 and 1.15.7. Users should upgrade to one of these versions or later. The fix includes changes to the go command to pass the full host C compiler path to cgo and modifications to prevent execution of programs from the current directory during PATH lookups (Golang Announce).