CVE-2023-45285

Command 'go get' may unexpectedly fallback to insecure git in cmd/go

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

El uso de go get para buscar un módulo con el sufijo ".git" puede recurrir inesperadamente al protocolo inseguro "git://" si el módulo no está disponible a través de "https://" y "git+ssh://" seguros, protocolos, incluso si GOINSECURE no está configurado para dicho módulo. Esto sólo afecta a los usuarios que no utilizan el proxy del módulo y están obteniendo módulos directamente (es decir, GOPROXY = desactivado).

A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available.

*Credits: David Leadbeater

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-06 CVE Reserved
2023-12-06 CVE Published
2023-12-13 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-693: Protection Mechanism Failure

CAPEC

References (7)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G

URL	Date	SRC

URL	Date	SRC
https://go.dev/cl/540257	2024-01-20
https://pkg.go.dev/vuln/GO-2023-2383	2024-01-20

URL	Date	SRC
https://go.dev/issue/63845	2024-01-20
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ	2024-01-20
https://access.redhat.com/security/cve/CVE-2023-45285	2024-03-05
https://bugzilla.redhat.com/show_bug.cgi?id=2253323	2024-03-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.20.12 Search vendor "Golang" for product "Go" and version " < 1.20.12"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.21.0-0 < 1.21.5 Search vendor "Golang" for product "Go" and version " >= 1.21.0-0 < 1.21.5"		-		Affected