cmd/go: go.mod toolchain directive allows arbitrary execution (CVE-2023-39320) [1.21 backport] #62394
Labels
CherryPickApproved
Used during the release process for point releases
FrozenDueToAge
release-blocker
Security
Milestone
The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.
@rolandshoemaker requested issue #62198 to be considered for backport to the next 1.21 minor release.
The text was updated successfully, but these errors were encountered: