Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-29402
CVE-2023-29402:
NixOS vulnerability analysis and mitigation
Overview
The Go command (CVE-2023-29402) contains a vulnerability that may generate unexpected code at build time when using cgo. This vulnerability was discovered in June 2023 and affects Go versions prior to 1.19.10 and versions 1.20.0 through 1.20.5. The issue occurs when running an untrusted module containing directories with newline characters in their names. Notably, modules retrieved using the go command via 'go get' are not affected, but those retrieved using GOPATH-mode (GO111MODULE=off) may be vulnerable (Golang Announce, NVD).
Technical details
The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically relates to the cgo functionality in the Go command, where malicious code could be injected during the build process through directories containing newline characters. This vulnerability is classified as a Code Injection (CWE-94) issue (NVD).
Impact
Successful exploitation of this vulnerability could lead to remote code execution, allowing attackers to execute arbitrary code during the build process. The impact includes potential disclosure of sensitive information, addition or modification of data, and possible Denial of Service (DoS). The critical CVSS score indicates the severity of potential impact if exploited (NetApp Security).
Mitigation and workarounds
The vulnerability has been patched in Go versions 1.19.10 and 1.20.5. Users are advised to upgrade to these or later versions to mitigate the risk. For Go 1.19.x, upgrade to version 1.19.10 or later, and for Go 1.20.x, upgrade to version 1.20.5 or later. No workarounds are available for unpatched versions (Golang Announce).
Community reactions
The vulnerability was responsibly disclosed and acknowledged by the Go team, with credit given to Juho Nurminen of Mattermost for reporting the issue. Various Linux distributions and software vendors have released security advisories and patches in response to this vulnerability, including Fedora, Gentoo, and NetApp (Gentoo Security, Fedora Update).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management