CVE-2023-29404
CVE Details
Visit the official vulnerability details page for CVE-2023-29404 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
go
NIST CVE Summary
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
CVE Severity
Our Official Summary
This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used.
Status
Ongoing
Affected Products & Versions
This CVE is non-impacting as the impacting symbol and/or function is not used in the product
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 12/06/2024 | Advisory severity revised to CRITICAL from HIGH |
| 12/05/2024 | Advisory severity revised to HIGH from CRITICAL |
| 12/04/2024 | Advisory severity revised to CRITICAL from HIGH |
| 12/04/2024 | Advisory is no longer impacting. |
| 12/04/2024 | Official summary revised: This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used. |
| 12/03/2024 | Advisory severity revised to HIGH from LOW |
| 12/02/2024 | Advisory severity revised to LOW from CRITICAL |
| 12/02/2024 | Advisory is now impacting. |
| 12/01/2024 | Advisory severity revised to CRITICAL from HIGH |
| 12/01/2024 | Advisory is no longer impacting. |
| 12/01/2024 | Official summary revised: This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used. |
| 11/30/2024 | Advisory severity revised to HIGH from CRITICAL |
| 11/30/2024 | Advisory is now impacting. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |