PT-2023-7932 · Go+3 · Go+3

Neil

·

Published

2023-11-08

·

Updated

2026-04-21

·

CVE-2023-45284

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Go versions 1.21.3 and earlier, 1.20.10 and earlier
Description The issue is related to the IsLocal function not correctly detecting reserved device names in some cases on Windows. Specifically, reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. This can be exploited by a remote attacker to bypass existing security restrictions. The estimated number of potentially affected devices is not specified.
Recommendations For Go versions 1.21.3 and earlier, update to version 1.21.4 or later. For Go versions 1.20.10 and earlier, update to version 1.20.11 or later. As a temporary workaround, consider restricting the use of the IsLocal function until a patch is available. Avoid using reserved device names with trailing spaces or superscripts in the path/filepath package until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2023-7049
ALT-PU-2023-7050
ALT-PU-2023-7055
ALT-PU-2023-7056
ALT-PU-2024-11872
ALT-PU-2024-1825
ALT-PU-2024-4847
AZL-37425
AZL-37513
AZL-78944
BDU:2023-09012
BIT-GOLANG-2023-45284
CVE-2023-45284
GHSA-RQ3X-83W4-P28C
GO-2023-2186
OPENSUSE-SU-2023_4469-1
OPENSUSE-SU-2023_4470-1
OPENSUSE-SU-2023_4471-1
OPENSUSE-SU-2023_4472-1
OPENSUSE-SU-2023_4708-1
OPENSUSE-SU-2023_4709-1
OPENSUSE-SU-2023_4930-1
OPENSUSE-SU-2023_4931-1
OPENSUSE-SU-2024:13491-1
OPENSUSE-SU-2024:13492-1
OPENSUSE-SU-2024:13506-1
OPENSUSE-SU-2024:14076-1
SUSE-SU-2023:4469-1
SUSE-SU-2023:4470-1
SUSE-SU-2023:4471-1
SUSE-SU-2023:4472-1
SUSE-SU-2023:4708-1
SUSE-SU-2023:4709-1
SUSE-SU-2023:4930-1
SUSE-SU-2023:4931-1

Affected Products

Alt Linux
Debian
Go
Suse