CVE-2023-45285

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GoCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
VendorProductVersion
golanggo
𝑥
< 1.20.12
golanggo
1.21.0-0 ≤
𝑥
< 1.21.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
vulnerable
bookworm
no-dsa
buster
postponed
golang-1.19
bookworm
vulnerable
bullseye
no-dsa
buster
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.19
oracular
dne
noble
dne
mantic
dne
lunar
ignored
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
golang-1.20
oracular
dne
noble
dne
mantic
Fixed 1.20.8-1ubuntu0.23.10.1
released
lunar
Fixed 1.20.3-1ubuntu0.2
released
jammy
Fixed 1.20.3-1ubuntu0.1~22.04.1
released
focal
Fixed 1.20.3-1ubuntu0.1~20.04.1
released
bionic
ignored
xenial
ignored
trusty
ignored
golang-1.21
oracular
dne
noble
not-affected
mantic
Fixed 1.21.1-1ubuntu0.23.10.1
released
lunar
Fixed 1.21.1-1~ubuntu23.04.2
released
jammy
Fixed 1.21.1-1~ubuntu22.04.2
released
focal
Fixed 1.21.1-1~ubuntu20.04.2
released
bionic
ignored
xenial
ignored
trusty
ignored
References
https://go.dev/cl/540257
https://go.dev/issue/63845
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
https://pkg.go.dev/vuln/GO-2023-2383
https://go.dev/cl/540257
https://go.dev/issue/63845
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIU6HOGV6RRIKWM57LOXQA75BGZSIH6G/
https://pkg.go.dev/vuln/GO-2023-2383