CVE-2023-24531
July 2, 2024, 8:15 p.m.
Tags
Product(s) Impacted
Go programming language
Description
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.
Weaknesses
Date
Published: July 2, 2024, 8:15 p.m.
Last Modified: July 2, 2024, 8:15 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security@golang.org
References
https://go.dev/
security@golang.org
https://go.dev/
security@golang.org
https://go.dev/
security@golang.org
https://groups.google.com/
security@golang.org
https://pkg.go.dev/
security@golang.org