CVE-2023-45285
published 2023-12-06CVE-2023-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.14%
62.5th percentile
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| go_toolchain | cmd_go | < 1.20.12 | 1.20.12 |
| go_toolchain | cmd_go | >= 1.21.0-0 < 1.21.5 | 1.21.5 |
| golang | go | < 1.20.12 | 1.20.12 |
| golang | go | >= 1.21.0-0 < 1.21.5 | 1.21.5 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.22.3-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Go vulnerabilities
osv·2024-01-11·CVSS 6.1
CVE-2023-39318 [MEDIUM] Go vulnerabilities
Go vulnerabilities
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting into a denial of se
OSV
Command 'go get' may unexpectedly fallback to insecure git in cmd/go
osv·2023-12-06
CVE-2023-45285 Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
GHSA
GHSA-5f94-vhjq-rpg8: Using go get to fetch a module with the "
ghsa_unreviewed·2023-12-06
CVE-2023-45285 [HIGH] GHSA-5f94-vhjq-rpg8: Using go get to fetch a module with the "
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
OSV
CVE-2023-45285: Using go get to fetch a module with the "
osv·2023-12-06·CVSS 7.5
CVE-2023-45285 [HIGH] CVE-2023-45285: Using go get to fetch a module with the "
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-01-11·CVSS 6.1
CVE-2023-39326 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly us
Microsoft
Command 'go get' may unexpectedly fallback to insecure git in cmd/go
vendor_msrc·2023-12-12·CVSS 7.5
CVE-2023-45285 [HIGH] Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Command 'go get' may unexpectedly fallback to insecure git in cmd/go
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https:
Red Hat
golang: cmd/go: Protocol Fallback when fetching modules
vendor_redhat·2023-12-06·CVSS 7.5
CVE-2023-45285 [HIGH] CWE-693 golang: cmd/go: Protocol Fallback when fetching modules
golang: cmd/go: Protocol Fallback when fetching modules
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available.
Statement: Red Hat rates this issue as Moderate, as the default configuration avoids this behavior, mitigating the vulnerability.
Mitigation: This issue only affects users who are not using the module
Debian
CVE-2023-45285: golang-1.15 - Using go get to fetch a module with the ".git" suffix may unexpectedly fallback ...
vendor_debian·2023·CVSS 7.5
CVE-2023-45285 [HIGH] CVE-2023-45285: golang-1.15 - Using go get to fetch a module with the ".git" suffix may unexpectedly fallback ...
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://go.dev/cl/540257https://go.dev/issue/63845https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/https://pkg.go.dev/vuln/GO-2023-2383https://go.dev/cl/540257https://go.dev/issue/63845https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/https://pkg.go.dev/vuln/GO-2023-2383
2023-12-06
Published