Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-45285

UNKNOWN
Published 2023-12-06T16:27:55.521Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-45285. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Go toolchain

cmd/go

Affected Versions:

0 1.21.0-0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-5f94-vhjq-rpg8

Advisory Details

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-45285
WEB https://go.dev/cl/540257
WEB https://go.dev/issue/63845
WEB https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G
WEB https://pkg.go.dev/vuln/GO-2023-2383

Advisory provided by GitHub Security Advisory Database. Published: December 6, 2023, Modified: December 12, 2023

References

https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://go.dev/issue/63845
https://go.dev/cl/540257
https://pkg.go.dev/vuln/GO-2023-2383
https://lists.fedoraproject.org/archives/list/[email protected]/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
Published: 2023-12-06T16:27:55.521Z
Last Modified: 2025-02-13T17:14:00.033Z
Copied to clipboard!