vulnerability
Arch Linux: Arbitrary command execution (CVE-2021-3115)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:H/Au:N/C:P/I:P/A:P) | Jan 26, 2021 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Published
Jan 26, 2021
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
A security issue was found in Go and fixed in versions 1.15.7 and 1.14.14. The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get for a malicious package, or any other time the code is built. This can be triggered by malicious packages which contain specifically named binaries which are executed when cgo is executed in the context of the malicious package directory. This is due to the path lookup behavior of os/exec.LookPath on Windows. This will also affect Unix users who have “.” listed explicitly in their PATH and are running “go get” outside of a module or with module mode disabled. This has been fixed by altering the usage of os/exec.LookPath by the go command to reject the usage of any binaries that reside in the current directory.
Solution
arch-linux-upgrade-latest
References
- CVE-2021-3115
- https://attackerkb.com/topics/CVE-2021-3115
- URL-https://blog.golang.org/path-security
- URL-https://groups.google.com/g/golang-announce/c/mperVMGa98w
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
- URL-https://security.archlinux.org/ASA-202101-27
- URL-https://security.gentoo.org/glsa/202208-02
- URL-https://security.netapp.com/advisory/ntap-20210219-0001/
- CWE-427
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.