PT-2023-3108 · Go+11 · Go+11

Vincent Dehors

·

Published

2023-04-05

·

Updated

2026-02-18

·

CVE-2023-29403

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Go (affected versions not specified)
Description The issue is related to the Go runtime not behaving differently when a binary is run with the setuid/setgid bits on Unix platforms. This can be dangerous in certain cases, such as when dumping memory state or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Exploitation of this issue may allow a remote attacker to elevate their privileges and gain read, modify, or delete access to data.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-642CWE-668

Related Identifiers

ALSA-2023:3922
ALSA-2023:3923
ALT-PU-2023-2086
ALT-PU-2023-2090
ALT-PU-2023-4099
ALT-PU-2023-4736
ALT-PU-2023-4785
ALT-PU-2023-5492
ALT-PU-2023-7055
AZL-27112
AZL-27121
AZL-37301
AZL-37368
AZL-52789
AZL-79002
BDU:2023-03200
BIT-GOLANG-2023-29403
CESA-2023_3922
CVE-2023-29403
GO-2023-1840
MGASA-2023-0227
OESA-2023-1404
OPENSUSE-SU-2024:12987-1
OPENSUSE-SU-2024:12988-1
RHSA-2023:3920
RHSA-2023:3922
RHSA-2023:3923
RHSA-2023_3922
RHSA-2023_3923
RLSA-2023:3923
SUSE-SU-2023:2525-1
SUSE-SU-2023:2526-1
USN-7061-1
USN-7109-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Go
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu