vulnerability
Oracle Linux: CVE-2020-28366: ELSA-2020-5493: go-toolset:ol8 security update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:H/Au:N/C:P/I:P/A:P) | Nov 12, 2020 | Dec 23, 2020 | Dec 3, 2025 |
Severity
5
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Published
Nov 12, 2020
Added
Dec 23, 2020
Modified
Dec 3, 2025
Description
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.
An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository that includes malicious pre-built object files that could execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository that includes malicious pre-built object files that could execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Solutions
oracle-linux-upgrade-delveoracle-linux-upgrade-golangoracle-linux-upgrade-golang-binoracle-linux-upgrade-golang-docsoracle-linux-upgrade-golang-miscoracle-linux-upgrade-golang-raceoracle-linux-upgrade-golang-srcoracle-linux-upgrade-golang-testsoracle-linux-upgrade-go-toolset
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.