CVE-2021-3115
7.5 HIGHGo before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get...
Published: 2021-01-26 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- CWE
- CWE-427
Affected products
| Vendor | Product |
|---|---|
| fedoraproject | cloud_insights_telegraf_agent, fedora, go |
| golang | cloud_insights_telegraf_agent, fedora, go |
| netapp | cloud_insights_telegraf_agent, fedora, go |
Description
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3115
- [Vendor advisory]https://blog.golang.org/path-security
- [Other]https://groups.google.com/g/golang-announce/c/mperVMGa98w
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
- [Other]https://security.gentoo.org/glsa/202208-02
- [Other]https://security.netapp.com/advisory/ntap-20210219-0001/
- [Vendor advisory]https://blog.golang.org/path-security
- [Other]https://groups.google.com/g/golang-announce/c/mperVMGa98w
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/
- [Other]https://security.gentoo.org/glsa/202208-02
- [Other]https://security.netapp.com/advisory/ntap-20210219-0001/
Related CVEs
Same vendor
- CVE-2026-42506 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)
- CVE-2026-42502 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)
- CVE-2026-39821 — The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label (9.6 CRITICAL)
- CVE-2026-27136 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)
- CVE-2026-25681 — Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree (6.1 MEDIUM)
Same CWE
- CVE-2026-12003 — To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH variable is defined at build...
- CVE-2024-22451 — Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability (6.7 MEDIUM)
- CVE-2024-22447 — Dell Peripheral Manager, versions prior to 1.7.3, contain an uncontrolled search path element vulnerability (6.7 MEDIUM)
- CVE-2026-5064 — Potential security vulnerabilities have been identified in the HP One Agent for certain HP PC products, which might allow ...
- CVE-2026-50100 — Multiple printer drivers provided by Ricoh Company, Ltd (7.8 HIGH)