CVE-2023-45285

Published: Dec 6, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.20.12
Golang Go	From 1.21.0-0 to 1.21.5

References (10)

https://go.dev/cl/540257

Source: security@golang.org

Patch

https://go.dev/issue/63845

Source: security@golang.org

Issue TrackingVendor Advisory

https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ

Source: security@golang.org

Mailing ListVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/

Source: security@golang.org

https://pkg.go.dev/vuln/GO-2023-2383

Source: security@golang.org

PatchVendor Advisory

https://go.dev/cl/540257

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/63845

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/

Source: af854a3a-2127-422b-91ae-364da2661108

https://pkg.go.dev/vuln/GO-2023-2383

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.