CVE-2020-28366

Summary

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.

Affected Software

VendorProductVersion RangeStatus
Go toolchaincmd/go0 < 1.14.12affected
Go toolchaincmd/go1.15.0-0 < 1.15.5affected
Go toolchaincmd/cgo0 < 1.14.12affected
Go toolchaincmd/cgo1.15.0-0 < 1.15.5affected

Weaknesses

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CVE Program Container

Additional References

References