CVE-2020-28367 — golang-1.11 - security update

Description

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

How to fix CVE-2020-28367

To remediate CVE-2020-28367, upgrade the affected package to a fixed version below.

Bitnami/golang—upgrade to 1.14.12 or later
—upgrade to 1.11.6-1+deb10u6 or later
—upgrade to 1.15.5-1 or later
—upgrade to 1.14.12 or later

Is CVE-2020-28367 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.14.12, >= 1.15.0, < 1.15.5
from 0, < 1.11.6-1+deb10u6
from 0, < 1.15.5-1
from 0, < 1.14.12, >= 1.15.0-0, < 1.15.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (8)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-28367
PATCHgo.dev/cl/267277
PATCHgo.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561
REPORTgo.dev/issue/42556
WEB