CVE-2023-39320 — Arbitrary code execution via go.mod toolchain directive in cmd/go

Description

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

How to fix CVE-2023-39320

To remediate CVE-2023-39320, upgrade the affected package to a fixed version below.

—upgrade to 1.21.1 or later
—upgrade to 1.21.1 or later

Is CVE-2023-39320 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 1.21.0, < 1.21.1
>= 1.21.0-0, < 1.21.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

PATCHgo.dev/cl/526158
REPORTgo.dev/issue/62198
WEBgroups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ
WEBnvd.nist.gov/vuln/detail/CVE-2023-39320
WEBpkg.go.dev/vuln/GO-2023-2042