CVE-2023-45285

Command 'go get' may unexpectedly fallback to insecure git in cmd/go

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

El uso de go get para buscar un módulo con el sufijo ".git" puede recurrir inesperadamente al protocolo inseguro "git://" si el módulo no está disponible a través de "https://" y "git+ssh://" seguros, protocolos, incluso si GOINSECURE no está configurado para dicho módulo. Esto sólo afecta a los usuarios que no utilizan el proxy del módulo y están obteniendo módulos directamente (es decir, GOPROXY = desactivado).

A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available.

Takeshi Kaneko discovered that Go did not properly handle comments and special tags in the script context of html/template module. An attacker could possibly use this issue to inject Javascript code and perform a cross site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time.

*Credits: David Leadbeater

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-06 CVE Reserved
2023-12-06 CVE Published
2025-02-13 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-693: Protection Mechanism Failure

CAPEC

References (7)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G

URL	Date	SRC

URL	Date	SRC
https://go.dev/cl/540257	2024-01-20
https://pkg.go.dev/vuln/GO-2023-2383	2024-01-20

URL	Date	SRC
https://go.dev/issue/63845	2024-01-20
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ	2024-01-20
https://access.redhat.com/security/cve/CVE-2023-45285	2024-03-05
https://bugzilla.redhat.com/show_bug.cgi?id=2253323	2024-03-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.20.12 Search vendor "Golang" for product "Go" and version " < 1.20.12"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.21.0-0 < 1.21.5 Search vendor "Golang" for product "Go" and version " >= 1.21.0-0 < 1.21.5"		-		Affected