CVE-2024-45340
published 2025-01-28CVE-2024-45340: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not…
PriorityP355high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.69%
47.9th percentile
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.24 | < golang-1.24 1.24~rc2-1 (forky) | golang-1.24 1.24~rc2-1 (forky) |
| go_toolchain | cmd_go | >= 1.24.0-0 < 1.24.0-rc.2 | 1.24.0-rc.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
cmd/go: golang: GOAUTH credential leak in cmd/go
vendor_redhat·2025-01-28·CVSS 8.8
CVE-2024-45340 [HIGH] CWE-201 cmd/go: golang: GOAUTH credential leak in cmd/go
cmd/go: golang: GOAUTH credential leak in cmd/go
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
A flaw was found in the cmd/go package in Golang. A malicious server can access credentials belonging to other servers due to how domains are parsed in the .netrc file, causing a credential leak. By default, this issue only affects credentials stored in the .netrc file.
Statement: Red Hat Trusted Artifact Signer is not affected by this vulnerability because the vulnerable code was introduced in a newer golang version that is not used by this product.
Mitigation: Red Ha
Debian
CVE-2024-45340: golang-1.24 - Credentials provided via the new GOAUTH feature were not being properly segmente...
vendor_debian·2024·CVSS 8.8
CVE-2024-45340 [HIGH] CVE-2024-45340: golang-1.24 - Credentials provided via the new GOAUTH feature were not being properly segmente...
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
Scope: local
forky: resolved (fixed in 1.24~rc2-1)
sid: resolved (fixed in 1.24~rc2-1)
trixie: resolved (fixed in 1.24~rc2-1)
OSV
CVE-2024-45340: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they s
osv·2025-01-28·CVSS 8.8
CVE-2024-45340 [HIGH] CVE-2024-45340: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they s
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
GHSA
GHSA-v5qx-579h-rr6f: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they s
ghsa_unreviewed·2025-01-28
CVE-2024-45340 [HIGH] GHSA-v5qx-579h-rr6f: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they s
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
OSV
GOAUTH credential leak in cmd/go
osv·2025-01-28
CVE-2024-45340 GOAUTH credential leak in cmd/go
GOAUTH credential leak in cmd/go
Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-28
Published