CVE-2020-28367

Summary

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

Affected Software

VendorProductVersion RangeStatus
Go toolchaincmd/go0 < 1.14.12affected
Go toolchaincmd/go1.15.0-0 < 1.15.5affected

Weaknesses

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CVE Program Container

Additional References

References