VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-68he-dnhn-aaam

Essentials
Severities (100)
References (21)
Severity details (17)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-68he-dnhn-aaam
Aliases	CVE-2023-29404
Summary	The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
Status	Published
Exploitability	0.5
Weighted Severity	8.8
Risk	4.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-94

Improper Control of Generation of Code ('Code Injection')

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29404.json
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00061	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00083	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00657	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00657	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00657	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00679	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00728	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.00827	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
epss	0.11309	https://api.first.org/data/v1/epss?cve=CVE-2023-29404
cvssv3.1	9.8	https://go.dev/cl/501225
ssvc	Track	https://go.dev/cl/501225
cvssv3.1	9.8	https://go.dev/issue/60305
ssvc	Track	https://go.dev/issue/60305
cvssv3.1	9.8	https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
ssvc	Track	https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
cvssv3.1	9.8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
cvssv3.1	9.8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
cvssv3	9.8	https://nvd.nist.gov/vuln/detail/CVE-2023-29404
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2023-29404
cvssv3.1	9.8	https://pkg.go.dev/vuln/GO-2023-1841
ssvc	Track	https://pkg.go.dev/vuln/GO-2023-1841
cvssv3.1	9.8	https://security.gentoo.org/glsa/202311-09
ssvc	Track	https://security.gentoo.org/glsa/202311-09

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29404.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-29404
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29404
		https://go.dev/cl/501225
		https://go.dev/issue/60305
		https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
		https://pkg.go.dev/vuln/GO-2023-1841
		https://security.netapp.com/advisory/ntap-20241115-0009/
2217565		https://bugzilla.redhat.com/show_bug.cgi?id=2217565
cpe:2.3:a:golang:go::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go::::::::
cpe:2.3:o:fedoraproject:fedora:38:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:::::::*
CVE-2023-29404		https://nvd.nist.gov/vuln/detail/CVE-2023-29404
GLSA-202311-09		https://security.gentoo.org/glsa/202311-09
RHSA-2023:3920		https://access.redhat.com/errata/RHSA-2023:3920
RHSA-2023:3922		https://access.redhat.com/errata/RHSA-2023:3922
RHSA-2023:3923		https://access.redhat.com/errata/RHSA-2023:3923
RHSA-2024:4119		https://access.redhat.com/errata/RHSA-2024:4119
USN-7061-1		https://usn.ubuntu.com/7061-1/
USN-7109-1		https://usn.ubuntu.com/7109-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29404.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/cl/501225

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:47:37Z/ Found at https://go.dev/cl/501225

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/issue/60305

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:47:37Z/ Found at https://go.dev/issue/60305

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:47:37Z/ Found at https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:47:37Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29404

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29404

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://pkg.go.dev/vuln/GO-2023-1841

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:47:37Z/ Found at https://pkg.go.dev/vuln/GO-2023-1841

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202311-09

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:47:37Z/ Found at https://security.gentoo.org/glsa/202311-09

Exploit Prediction Scoring System (EPSS)

Percentile	0.19332
EPSS Score	0.00061
Published At	April 15, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.