Enviar #838569: antlr ANTLR4 4.13.2 Command Injectioninformación

Títuloantlr ANTLR4 4.13.2 Command Injection
DescripciónWhen ANTLR4 generates Go code (-Dlanguage=Go), the GoTarget class executes gofmt using ProcessBuilder("gofmt", ...) without specifying an absolute path. The binary is resolved via the PATH environment variable. An attacker who can prepend a directory to PATH (via compromised build scripts, CI environment injection, or .envrc files) can place a malicious executable named gofmt that will be executed with the privileges of the build process. This was confirmed to achieve code execution with a crafted PATH.
Fuente⚠️ https://github.com/wooyun123/wooyun/issues/6
Usuario
 jiazhou (UID 89028)
Sumisión2026-05-27 10:52 (hace 1 mes)
Moderación2026-06-27 20:28 (1 month later)
EstadoAceptado
Entrada de VulDB374496 [antlr ANTLR4 hasta 4.13.2 gofmt GoTarget.java GoTarget escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!