Bug 1227338 (CVE-2023-24531) - VUL-0: CVE-2023-24531: go,go1.21,go1.22: command go env does not sanitize values and can execute its output as a shell script
Summary: VUL-0: CVE-2023-24531: go,go1.21,go1.22: command go env does not sanitize val...
Status: RESOLVED INVALID
Alias: CVE-2023-24531
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Jeff Kowalczyk
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412738/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-24531:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-03 11:27 UTC by SMASH SMASH
Modified: 2024-07-03 11:28 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-03 11:27:16 UTC 
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad behaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24531
https://www.cve.org/CVERecord?id=CVE-2023-24531
https://go.dev/cl/488375
https://go.dev/cl/493535
https://go.dev/issue/58508
https://groups.google.com/g/golang-dev/c/ixHOFpSbajE/m/8EjlbKVWAwAJ
https://pkg.go.dev/vuln/GO-2024-2962