Improper Credential Segmentation in Go's GOAUTH Feature Affects Users
CVE-2024-45340

8.8HIGH

Key Information:

Vendor: Go Toolchain
Status: Cmd/go
Vendor: CVE Published:; 28 January 2025

What is CVE-2024-45340?

A security flaw in the GOAUTH feature of the Go programming language allows malicious servers to access user credentials improperly. This occurs because credentials are not correctly isolated by domain, potentially permitting unauthorized requests for sensitive information. By default, this issue primarily impacts credentials stored in the user's .netrc file, increasing the risk of unauthorized access. Developers using Go should review their configurations and ensure proper domain segmentation to safeguard user credentials.

Affected Version(s)

cmd/go 1.24.0-0 < 1.24.0-rc.2

References

https://go.dev/cl/643097

https://go.dev/issue/71249

https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Aug 27, 2024

Credit

Juho Forsén of Mattermost

Go Toolchain

What is CVE-2024-45340?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit