{
  "threat_severity" : "Important",
  "public_date" : "2023-09-06T00:00:00Z",
  "bugzilla" : {
    "description" : "golang: cmd/go: go.mod toolchain directive allows arbitrary execution",
    "id" : "2237775",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2237775"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-94",
  "details" : [ "The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy, as well as modules downloaded directly using VCS software.", "A flaw was found in Golang. The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the \"go\" command was executed within the module. This applies to modules downloaded using the \"go\" command from the module proxy and downloaded directly using VCS software." ],
  "acknowledgement" : "Red Hat would like to thank Juho Nurminen (Mattermost) for reporting this issue.",
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Not affected",
    "package_name" : "openshift-golang-builder-container",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "go-toolset:rhel8/golang",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "go-toolset:rhel8/go-toolset",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "golang",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift-golang-builder-container",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift-golang-builder-container",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "golang",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "go-toolset-7-golang",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-39320\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39320\nhttps://go.dev/cl/526158\nhttps://go.dev/issue/62198\nhttps://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ\nhttps://vuln.go.dev/ID/GO-2023-2042.json" ],
  "name" : "CVE-2023-39320",
  "csaw" : false
}