PT-2023-8188 · Go+9 · Go+9
David Leadbeater
·
Published
2023-12-05
·
Updated
2024-09-09
·
CVE-2023-45285
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Go versions prior to 1.21.5
Go versions prior to 1.20.12
Description
The issue is related to the use of the "go get" command to fetch modules with the ".git" suffix. If the module is unavailable via secure protocols, it may fallback to the insecure "git://" protocol, even if GOINSECURE is not set for the module. This affects users who are not using the module proxy and are fetching modules directly. The vulnerability is related to the transmission of data in open form, which can allow a remote attacker to gain unauthorized access to protected information.
Recommendations
For Go versions prior to 1.21.5, update to Go 1.21.5 to fix the issue.
For Go versions prior to 1.20.12, update to Go 1.20.12 to fix the issue.
As a temporary workaround, consider setting GOPROXY to a secure proxy or enabling GOINSECURE for the affected modules to minimize the risk of exploitation.
Restrict direct fetching of modules using "go get" until the issue is resolved.
Exploit
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Debian
Go
Linuxmint
Red Hat
Red Os
Suse
Ubuntu