CVE-2023-45284 — Standard Library Path Filepath vulnerability

7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 92.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Path Filepath Golang GO

Timeline

PublishedNov 9

Latest updateNov 14

Description

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgolang/go1.21.0-0 — 1.21.4+1

▶CVEListV5go_standard_library/path_filepath1.21.0-0 — 1.21.4+1

🔴Vulnerability Details

GHSA

GHSA-rq3x-83w4-p28c: On Windows, The IsLocal function does not correctly detect reserved device names in some cases↗2023-11-09

▶

OSV

CVE-2023-45284: On Windows, The IsLocal function does not correctly detect reserved device names in some cases↗2023-11-09

▶

CVEList

Incorrect detection of reserved device names on Windows in path/filepath↗2023-11-09

▶

OSV

Incorrect detection of reserved device names on Windows in path/filepath↗2023-11-08

▶

📋Vendor Advisories

Microsoft

Incorrect detection of reserved device names on Windows in path/filepath↗2023-11-14

▶

Debian

CVE-2023-45284: golang-1.15 - On Windows, The IsLocal function does not correctly detect reserved device names...↗2023

▶