CVE-2024-45340Sensitive Info Insertion into Sent Data in Toolchain CMD GO

CWE-201Sensitive Info Insertion into Sent Data7 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 74.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GO Toolchain CMD GO
Timeline
PublishedJan 28

Description

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

CVEListV5go_toolchain/cmd_go1.24.0-01.24.0-rc.2

🔴Vulnerability Details

4
OSV
CVE-2024-45340: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they s2025-01-28
GHSA
GHSA-v5qx-579h-rr6f: Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they s2025-01-28
OSV
GOAUTH credential leak in cmd/go2025-01-28
CVEList
GOAUTH credential leak in cmd/go2025-01-28

📋Vendor Advisories

2
Red Hat
cmd/go: golang: GOAUTH credential leak in cmd/go2025-01-28
Debian
CVE-2024-45340: golang-1.24 - Credentials provided via the new GOAUTH feature were not being properly segmente...2024
CVE-2024-45340 — GO Toolchain CMD GO vulnerability | cvebase