CVE-2023-45285 — Protection Mechanism Failure in Toolchain CMD GO

CWE-693 — Protection Mechanism Failure9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 82.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Toolchain CMD GO Golang GO

Timeline

PublishedDec 6

Latest updateJan 11

Description

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgolang/go1.21.0-0 — 1.21.5+1

▶CVEListV5go_toolchain/cmd_go1.21.0-0 — 1.21.5+1

Patches

Patch: go.dev ↗Patch: pkg.go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

OSV

Command 'go get' may unexpectedly fallback to insecure git in cmd/go↗2023-12-06

▶

CVEList

Command 'go get' may unexpectedly fallback to insecure git in cmd/go↗2023-12-06

▶

GHSA

GHSA-5f94-vhjq-rpg8: Using go get to fetch a module with the "↗2023-12-06

▶

OSV

CVE-2023-45285: Using go get to fetch a module with the "↗2023-12-06

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-01-11

▶

Microsoft

Command 'go get' may unexpectedly fallback to insecure git in cmd/go↗2023-12-12

▶

Red Hat

golang: cmd/go: Protocol Fallback when fetching modules↗2023-12-06

▶

Debian

CVE-2023-45285: golang-1.15 - Using go get to fetch a module with the ".git" suffix may unexpectedly fallback ...↗2023

▶