CVE-2023-29403Resource Exposure in Standard Library Runtime

CWE-668Resource ExposureCWE-642External Control of Critical State Data10 documents8 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 98.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Standard Library RuntimeGolang GOFedoraproject Fedora
Timeline
PublishedJun 8
Latest updateNov 14

Description

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or sig

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5go_standard_library/runtime1.20.0-01.20.5+1
NVDgolang/go1.20.01.20.5+1

Also affects: Fedora 38

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

4
OSV
CVE-2023-29403: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits2023-06-08
OSV
Unsafe behavior in setuid/setgid binaries in runtime2023-06-08
GHSA
GHSA-rxx3-4978-3cc9: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits2023-06-08
CVEList
Unsafe behavior in setuid/setgid binaries in runtime2023-06-08

📋Vendor Advisories

5
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-10-10
Microsoft
Unsafe behavior in setuid/setgid binaries in runtime2023-06-13
Red Hat
golang: runtime: unexpected behavior of setuid/setgid binaries2023-06-08
Debian
CVE-2023-29403: golang-1.15 - On Unix platforms, the Go runtime does not behave differently when a binary is r...2023
CVE-2023-29403 — Resource Exposure | cvebase