[GO-2024-2825] Arbitrary code execution during build on Darwin in cmd/go
Severity
Medium
Affected Packages
2
Fixed Packages
2
CVEs
1
On Darwin, building a Go module which contains CGO can trigger arbitrary code
execution when using the Apple version of ld, due to usage of the -lto_library
flag in a "#cgo LDFLAGS" directive.
| Package | Affected Version |
|---|---|
 pkg:golang/cmd/go
|
>= 1.22.2, < 1.21.10 |
|
pkg:golang/cmd/go
|
>= 1.22.2, < 1.22.3 |
| Package | Fixed Version |
|---|---|
|
pkg:golang/cmd/go
|
= 1.21.10 |
|
pkg:golang/cmd/go
|
= 1.22.3 |
- ID
- GO-2024-2825
- Severity
- medium
- Severity from
- CVE-2024-24787
- URL
- https://pkg.go.dev/vuln/GO-2024-2825
- Published
-
2024-05-07T21:05:52
(4 months ago) - Modified
-
2024-06-27T17:38:19
(2 months ago) - Other Advisories
SUSE-SU-2024:1573-1| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |