Command 'go get' may unexpectedly fallback to insecure git in cmd/go
CVE-2023-45285

7.5HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 6 December 2023

What is CVE-2023-45285?

This vulnerability occurs when using 'go get' to fetch a module with a '.git' suffix, potentially causing a fallback to the insecure 'git://' protocol if the requested module is unavailable via secure 'https://' and 'git+ssh://' protocols. This can pose a risk for users operating with module proxy disabled (GOPROXY=off), as their configurations inadvertently expose them to insecure connections despite the GOINSECURE setting remaining inactive for specific modules. It's essential for developers to be aware of this behaviour in order to safeguard their projects.

Affected Version(s)

cmd/go 0 < 1.20.12

cmd/go 1.21.0-0 < 1.21.5

References

https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/Km...

https://go.dev/issue/63845

https://go.dev/cl/540257

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 6, 2023
Vulnerability Reserved
Oct 6, 2023

Credit

David Leadbeater

Go Toolchain

What is CVE-2023-45285?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit