CVE-2021-3115
Arbitrary code injection via the go command with cgo on Windows in cmd/go
7.5
HIGH
CVSS 3.1
EPSS 0.14%
Description
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
How to fix CVE-2021-3115
To remediate CVE-2021-3115, upgrade the affected package to a fixed version below.
- —upgrade to 1.14.14 or later
- —upgrade to 1.15.7-1 or later
- —upgrade to 1.14.14 or later
Is CVE-2021-3115 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.14.14, >= 1.15.0, < 1.15.7
- from 0, < 1.15.7-1
- from 0, < 1.14.14, >= 1.15.0-0, < 1.15.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |