Vulnerability Description
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.20.12 |
References
- https://go.dev/cl/540257Patch
- https://go.dev/issue/63845Issue TrackingVendor Advisory
- https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJMailing ListVendor Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://pkg.go.dev/vuln/GO-2023-2383PatchVendor Advisory
- https://go.dev/cl/540257Patch
- https://go.dev/issue/63845Issue TrackingVendor Advisory
- https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJMailing ListVendor Advisory
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://pkg.go.dev/vuln/GO-2023-2383PatchVendor Advisory
FAQ
What is CVE-2023-45285?
CVE-2023-45285 is a vulnerability with a CVSS score of 7.5 (HIGH). Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, eve...
How severe is CVE-2023-45285?
CVE-2023-45285 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-45285?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.