{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-28366", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "assignerShortName": "Go", "dateUpdated": "2024-08-04T16:33:58.955Z", "dateReserved": "2020-11-09T00:00:00", "datePublished": "2020-11-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:04:21.017Z"}, "title": "Arbitrary code execution in go command with cgo in cmd/go and cmd/cgo", "descriptions": [{"lang": "en", "value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "0", "lessThan": "1.14.12", "status": "affected", "versionType": "semver"}, {"version": "1.15.0-0", "lessThan": "1.15.5", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Builder.cgo"}], "defaultStatus": "unaffected"}, {"vendor": "Go toolchain", "product": "cmd/cgo", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/cgo", "versions": [{"version": "0", "lessThan": "1.14.12", "status": "affected", "versionType": "semver"}, {"version": "1.15.0-0", "lessThan": "1.15.5", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "dynimport"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://go.dev/cl/269658"}, {"url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"}, {"url": "https://go.dev/issue/42559"}, {"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0475"}], "credits": [{"lang": "en", "value": "Chris Brown (Tempus Ex)"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:33:58.955Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/cl/269658", "tags": ["x_transferred"]}, {"url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292", "tags": ["x_transferred"]}, {"url": "https://go.dev/issue/42559", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2022-0475", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2175A10-2BF6-430A-A90E-C3957B4FF493", "versionEndExcluding": "1.14.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D85EBF5-35FF-4F02-87AB-16FF644D11F3", "versionEndExcluding": "1.15.5", "versionStartIncluding": "1.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*", "matchCriteriaId": "5DAE7369-EEC5-405E-9D13-858335FDA647", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*", "matchCriteriaId": "5D9A34F5-AC03-4098-A37D-AD50727DDB11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file."}, {"lang": "es", "value": "Go versiones anteriores a 1.14.12 y versiones 1.15.x anteriores a 1.15.5, permite una Inyecci\u00f3n de C\u00f3digo"}], "id": "CVE-2020-28366", "lastModified": "2024-11-21T05:22:40.197", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-18T17:15:11.993", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/269658"}, {"source": "security@golang.org", "url": "https://go.dev/issue/42559"}, {"source": "security@golang.org", "url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2022-0475"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://go.dev/cl/269658"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://go.dev/issue/42559"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://pkg.go.dev/vuln/GO-2022-0475"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/client-kn-rhel8:0.18.4-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-controller-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-mtping-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-storage-version-migration-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-sugar-controller-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/eventing-webhook-rhel8:0.18.6-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.12.0-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.12.0-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:0.18.4-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/kourier-control-rhel8:0.18.0-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.12.0-5", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.12.0-4", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-activator-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-autoscaler-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-controller-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-queue-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-storage-version-migration-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/serving-webhook-rhel8:0.18.2-3", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0146", "cpe": "cpe:/a:redhat:serverless:1.12::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.12.0-2", "product_name": "Openshift Serveless 1.12", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2021:0145", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:0.18.4-2.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2021-01-14T00:00:00Z"}, {"advisory": "RHSA-2020:5333", "cpe": "cpe:/a:redhat:devtools:2020", "package": "go-toolset-1.14-0:1.14.12-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5333", "cpe": "cpe:/a:redhat:devtools:2020", "package": "go-toolset-1.14-golang-0:1.14.12-1.el7_9", "product_name": "Red Hat Developer Tools", "release_date": "2020-12-03T00:00:00Z"}, {"advisory": "RHSA-2020:5493", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8030020201118084734.58e1918e", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-12-15T00:00:00Z"}], "bugzilla": {"description": "golang: malicious symbol names can lead to code execution at build time", "id": "1897643", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1897643"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file.", "An input validation vulnerability was found in Go. From a generated go file (from the cgo tool), it is possible to modify symbols within that object file and specify code. This flaw allows an attacker to create a repository that includes malicious pre-built object files that could execute arbitrary code when downloaded and run via `go get` or `go build` while building a Go project. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "mitigation": {"lang": "en:us", "value": "If it's possible to confirm that the Go project being built does not rely on any cgo code in the included dependencies, the env variable CGO_ENABLED=0 can be specified when using either `go get` or `go build`.  \nFor example:\nCGO_ENABLED=0 go get github.com/someproject\nThis will not stop the files being downloaded but will stop any automatic complication of the cgo code, including inlined in the go file and separate .c files.  Of course, this will only be effective if cgo is not relied upon in a given dependency and may not be appropriate in all scenarios."}, "name": "CVE-2020-28366", "package_state": [{"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-all-in-one-rhel7", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-all-in-one-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "jaeger-rhel7-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "jaeger-rhel8-operator", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "knative-eventing", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "kiali", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "kiali", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Not affected", "package_name": "servicemesh-operator", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "golang-github-prometheus-node_exporter", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/cephcsi-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/mcg-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:2", "fix_state": "Not affected", "package_name": "kubevirt-virtctl", "product_name": "Red Hat OpenShift Virtualization 2"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "multi-cloud-object-gateway-cli", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "noobaa-operator-container", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "rhgs3/rhgs-gluster-block-prov-rhel7", "product_name": "Red Hat Storage 3"}], "public_date": "2020-11-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-28366\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-28366\nhttps://groups.google.com/g/golang-announce/c/NpBGTTmKzpM/m/fLguyiM2CAAJ"], "statement": "While OpenShift Container Platform (OCP), Red Hat OpenShift Jaeger (RHOSJ), OpenShift Service Mesh (OSSM), and OpenShift Virtualization all contain RPMs and containers which are compiled with a vulnerable version of Go, the vulnerability is specific to the building of Go code itself. Using `go get` or `go build` and as such, the relevant components have been marked as not affected.\nAdditionally, only the main RPMs and containers for OCP, RHOSJ, OSSM, and OpenShift Virtualization are represented due to the large volume of not affected components.\nRed Hat Ceph Storage 3 ships the vulnerable version of go, and an attacker building go code on RHCS 3 could potentially exploit this vulnerability.", "threat_severity": "Moderate"}