CVE-2021-3115

Published: 26 January 2021

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
golang
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.10
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(windows only)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(windows only)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(windows only)
golang-1.13
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(windows only)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(windows only)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(windows only)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.14
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(windows only)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.15
Launchpad, Ubuntu, Debian
Upstream
Released (1.15.7-1)
Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/golang/go/commit/e8e7facfaa47bf21007c0a1c679debba52ec3ea0
golang-1.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(windows only)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(windows only)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.9
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(windows only)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist