CVE-2021-3115
Publication date 26 January 2021
Last updated 25 August 2025
Ubuntu priority
Description
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| golang-1.10 | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| golang-1.13 | ||
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| golang-1.14 | ||
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic | Not in release | |
| golang-1.15 | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| golang-1.6 | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| golang-1.8 | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| golang-1.9 | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |