Vulnerability Details : CVE-2023-24531
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.
Products affected by CVE-2023-24531
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2023-24531
0.66%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-24531
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-08-21 |
References for CVE-2023-24531
-
https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ
Go 1.21.0 is released
-
https://security.netapp.com/advisory/ntap-20250328-0005/
-
https://go.dev/issue/58508
cmd/go: "go env" output does not sanitize values · Issue #58508 · golang/go · GitHub
-
https://go.dev/cl/493535
cmd/go: quote entries in list-valued variables for go env in plan9 (493535) · Gerrit Code Review
-
https://pkg.go.dev/vuln/GO-2024-2962
GO-2024-2962 - Go Packages
-
https://go.dev/cl/488375
Jump to