CVE-2023-45284

Name of the Vulnerable Software and Affected Versions Go versions 1.21.3 and earlier, 1.20.10 and earlier

Description The issue is related to the IsLocal function not correctly detecting reserved device names in some cases on Windows. Specifically, reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. This can be exploited by a remote attacker to bypass existing security restrictions. The estimated number of potentially affected devices is not specified.

Recommendations For Go versions 1.21.3 and earlier, update to version 1.21.4 or later. For Go versions 1.20.10 and earlier, update to version 1.20.11 or later. As a temporary workaround, consider restricting the use of the IsLocal function until a patch is available. Avoid using reserved device names with trailing spaces or superscripts in the path/filepath package until the issue is resolved.