Vulnerability CVE-2023-45285


Published: 2023-12-06   Modified: 2023-12-14

Description:
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Type:

CWE-noinfo

Affected software
Golang -> GO 

 References:
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://go.dev/issue/63845
https://go.dev/cl/540257
https://pkg.go.dev/vuln/GO-2023-2383

Copyright 2024, cxsecurity.com

 

Back to Top