CVE-2023-45285

Aliases:GO-2023-2383BIT-golang-2023-45285

Advisory lineage Upstream: 0 Downstream: 13

Downstream

DEBIAN-CVE-2023-45285 MGASA-2023-0349 OPENSUSE-SU-2024:13491-1 OPENSUSE-SU-2024:13492-1 RHSA-2024:0887 RHSA-2024:1041

Modified

Published: 06 Dec 2023, 16:27

Last modified:13 Feb 2025, 17:14

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.06% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Dec 2023, 16:27

Published

Vulnerability first disclosed

13 Feb 2025, 17:14

Last Modified

Vulnerability information updated

Description

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.06%• Percentile: 17%

Affected Systems

go toolchain•cmd/go
< 1.20.12 | ≥ 1.21.0-0, < 1.21.5
golang•go
< 1.20.12 | ≥ 1.21.0-0, < 1.21.5
Go•toolchain
≥ 1.21.0-0, < 1.21.5