CVE-2023-39320: 
NixOS vulnerability analysis and mitigation

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. The vulnerability was discovered by Juho Nurminen of Mattermost and was assigned CVE-2023-39320 (Go Issue, Go Advisory).

The vulnerability affects Go versions from 1.21.0-0 before 1.21.1. It has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability (NVD, NetApp Advisory).

Successful exploitation of this vulnerability could lead to remote code execution, allowing attackers to execute arbitrary scripts and binaries relative to the root of the module. The vulnerability has high impact ratings for confidentiality, integrity, and availability, potentially allowing attackers to access sensitive information, modify data, or cause denial of service (NetApp Advisory).

The vulnerability has been fixed in Go version 1.21.1. Users are advised to upgrade to this version or later to mitigate the risk. The fix was released on September 6, 2023, as part of Go versions 1.21.1 and 1.20.8 (Golang Dev).

Multiple organizations and vendors have acknowledged the vulnerability and provided advisories, including NetApp, Gentoo, and Ubuntu. Gentoo classified it as a high-severity issue and recommended users upgrade to version 1.20.10 or later (Gentoo Advisory).