AZL-27123

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27123.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-27123

Upstream

CVE-2023-29405

Published

2023-06-08T21:15:17Z

Modified

2026-04-01T05:08:57.669112Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2023-29405 affecting package msft-golang for versions less than 1.20.7-1

Details

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-29405

Affected packages

Azure Linux:2 / msft-golang

Package

Name: msft-golang
Purl: pkg:rpm/azure-linux/msft-golang

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.20.7-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27123.json"