Unsafe behavior in setuid/setgid binaries in runtime
CVE-2023-29403

7.8HIGH

Key Information:

Vendor: Go Standard Library
Status: Runtime
Vendor: CVE Published:; 8 June 2023

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2023-29403?

On Unix platforms, the Go runtime does not properly differentiate the execution of binaries with setuid/setgid permissions. This oversight can lead to serious security implications, particularly when a setuid/setgid binary is run while the standard I/O file descriptors are closed. In such cases, any files accessed may inadvertently have their contents altered or exposed due to elevated privileges. Additionally, if a setuid/setgid program crashes or is interrupted, there is a risk that sensitive data contained in its registers may be leaked. This vulnerability underscores the importance of cautious management of permissions in system-level programming.

Affected Version(s)

runtime 0 < 1.19.10

runtime 1.20.0-0 < 1.20.5

References

https://go.dev/issue/60272

https://go.dev/cl/501223

https://groups.google.com/g/golang-announce/c/q5135a9d924...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Vincent Dehors from Synacktiv