제출 #838569: antlr ANTLR4 4.13.2 Command Injection정보

제목antlr ANTLR4 4.13.2 Command Injection
설명When ANTLR4 generates Go code (-Dlanguage=Go), the GoTarget class executes gofmt using ProcessBuilder("gofmt", ...) without specifying an absolute path. The binary is resolved via the PATH environment variable. An attacker who can prepend a directory to PATH (via compromised build scripts, CI environment injection, or .envrc files) can place a malicious executable named gofmt that will be executed with the privileges of the build process. This was confirmed to achieve code execution with a crafted PATH.
원천⚠️ https://github.com/wooyun123/wooyun/issues/6
사용자
 jiazhou (UID 89028)
제출2026. 05. 27. AM 10:52 (1 월 ago)
모더레이션2026. 06. 27. PM 08:28 (1 month later)
상태수락
VulDB 항목374496 [antlr ANTLR4 까지 4.13.2 gofmt GoTarget.java GoTarget 권한 상승]
포인트들20

Do you want to use VulDB in your project?

Use the official API to access entries easily!