Security News > 2021 > January > Google fixes severe Golang Windows RCE vulnerability

Google fixes severe Golang Windows RCE vulnerability
2021-01-26 11:09

This month Google engineers have fixed a severe remote code execution vulnerability in the Go language.

The RCE vulnerability, CVE-2021-3115, mainly impacts Windows users of Go running the go get command, due to the default behavior of Windows PATH lookups.

If you type netstat in a Windows command prompt, Windows would first look around for a netstat.

Should no netstat exist in the current folder, only then would the Windows shell look for the netstat system utility, the location of which exists on the Windows %PATH% variable.

For consistency, Golang binaries imitate Unix rules on Unix systems, and Windows rules on Windows.

The Golang team at Google has fixed the vulnerability and users are advised to upgrade their instances.


News URL

https://www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-01-26 CVE-2021-3115 Uncontrolled Search Path Element vulnerability in multiple products
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
network
high complexity
golang fedoraproject netapp CWE-427
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 141 994 4922 2872 1623 10411
Golang 13 1 43 88 11 143