VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-79tx-czet-aaae

Essentials
Severities (102)
References (21)
Severity details (17)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-79tx-czet-aaae
Aliases	CVE-2023-29405
Summary	The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
Status	Published
Exploitability	0.5
Weighted Severity	8.8
Risk	4.4
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29405.json
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00326	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00537	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00537	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00537	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00556	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00606	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.00689	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.03059	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
epss	0.11309	https://api.first.org/data/v1/epss?cve=CVE-2023-29405
cvssv3.1	9.8	https://go.dev/cl/501224
ssvc	Track	https://go.dev/cl/501224
cvssv3.1	9.8	https://go.dev/issue/60306
ssvc	Track	https://go.dev/issue/60306
cvssv3.1	9.8	https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
ssvc	Track	https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
cvssv3.1	9.8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
cvssv3.1	9.8	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
cvssv3	9.8	https://nvd.nist.gov/vuln/detail/CVE-2023-29405
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2023-29405
cvssv3.1	9.8	https://pkg.go.dev/vuln/GO-2023-1842
ssvc	Track	https://pkg.go.dev/vuln/GO-2023-1842
cvssv3.1	9.8	https://security.gentoo.org/glsa/202311-09
ssvc	Track	https://security.gentoo.org/glsa/202311-09

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29405.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-29405
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29405
		https://go.dev/cl/501224
		https://go.dev/issue/60306
		https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
		https://pkg.go.dev/vuln/GO-2023-1842
		https://security.netapp.com/advisory/ntap-20241206-0003/
2217569		https://bugzilla.redhat.com/show_bug.cgi?id=2217569
cpe:2.3:a:golang:go::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go::::::::
cpe:2.3:o:fedoraproject:fedora:38:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:::::::*
CVE-2023-29405		https://nvd.nist.gov/vuln/detail/CVE-2023-29405
GLSA-202311-09		https://security.gentoo.org/glsa/202311-09
RHSA-2023:3920		https://access.redhat.com/errata/RHSA-2023:3920
RHSA-2023:3922		https://access.redhat.com/errata/RHSA-2023:3922
RHSA-2023:3923		https://access.redhat.com/errata/RHSA-2023:3923
RHSA-2024:4119		https://access.redhat.com/errata/RHSA-2024:4119
USN-7061-1		https://usn.ubuntu.com/7061-1/
USN-7109-1		https://usn.ubuntu.com/7109-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29405.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/cl/501224

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:44:14Z/ Found at https://go.dev/cl/501224

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/issue/60306

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:44:14Z/ Found at https://go.dev/issue/60306

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:44:14Z/ Found at https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:44:14Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29405

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29405

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://pkg.go.dev/vuln/GO-2023-1842

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:44:14Z/ Found at https://pkg.go.dev/vuln/GO-2023-1842

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202311-09

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:44:14Z/ Found at https://security.gentoo.org/glsa/202311-09

Exploit Prediction Scoring System (EPSS)

Percentile	0.54597
EPSS Score	0.00326
Published At	April 15, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.