Command 'go get' may unexpectedly fallback to insecure git in cmd/go
CVE-2023-45285

7.5HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 6 December 2023

🔔 Create Go Toolchain Vulnerability Alert

What is CVE-2023-45285?

This vulnerability occurs when using 'go get' to fetch a module with a '.git' suffix, potentially causing a fallback to the insecure 'git://' protocol if the requested module is unavailable via secure 'https://' and 'git+ssh://' protocols. This can pose a risk for users operating with module proxy disabled (GOPROXY=off), as their configurations inadvertently expose them to insecure connections despite the GOINSECURE setting remaining inactive for specific modules. It's essential for developers to be aware of this behaviour in order to safeguard their projects.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cmd/go 0 < 1.20.12

cmd/go 1.21.0-0 < 1.21.5

References

https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/Km...

https://go.dev/issue/63845

https://go.dev/cl/540257

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 6, 2023
Vulnerability Reserved
Oct 6, 2023

Credit

David Leadbeater

JSON

Go Toolchain

What is CVE-2023-45285?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.