Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-45285

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Published

2023-12-06T17:15:07.320

Last Modified

2024-11-21T08:26:41.953

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.20.12	Yes
Application	golang	go	< 1.21.5	Yes

References

https://go.dev/cl/540257 Patch ([email protected])
https://go.dev/issue/63845 Issue Tracking, Vendor Advisory ([email protected])
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ Mailing List, Vendor Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/ ([email protected])
https://pkg.go.dev/vuln/GO-2023-2383 Patch, Vendor Advisory ([email protected])
https://go.dev/cl/540257 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://go.dev/issue/63845 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/ (af854a3a-2127-422b-91ae-364da2661108)
https://pkg.go.dev/vuln/GO-2023-2383 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)