| package: cmd/go |
| do_not_export: true |
| stdlib: true |
| versions: |
| - fixed: go1.14.14 |
| - fixed: go1.15.7 |
| description: | |
| The go command may execute arbitrary code at build time when using cgo on Windows. |
| This can be triggered by running go get on a malicious module, or any other time |
| the code is built. |
| published: 2021-04-14T12:00:00Z |
| cve: CVE-2021-3115 |
| credit: RyotaK |
| os: |
| - windows |
| links: |
| pr: https://golang.org/cl/284783 |
| commit: https://github.com/golang/go/commit/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0 |
| context: |
| - https://github.com/golang/go/issues/43783 |
| - https://golang.org/cl/284780 |
| - https://github.com/golang/go/commit/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0 |