CVE-2024-45340

Aliases:GO-2025-3383BIT-golang-2024-45340

Advisory lineage Upstream: 0 Downstream: 7

Downstream

DEBIAN-CVE-2024-45340 OPENSUSE-SU-2025:14693-1 OPENSUSE-SU-2025:14710-1 SUSE-SU-2025:0285-1 SUSE-SU-2025:0297-1 SUSE-SU-2025:0429-1

Deferred

Published: 28 Jan 2025, 01:03

Last modified:30 Jan 2025, 19:14

Vulnerability Summary

Overall Risk (default)

medium

35/100

CVSS Score

8.8 HIGH

v3.1 (cve.org)

EPSS Score

0.09% LOW

0% probability -0.05%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

28 Jan 2025, 01:03

Published

Vulnerability first disclosed

30 Jan 2025, 19:14

Last Modified

Vulnerability information updated

Description

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.09%• Percentile: 25%

Affected Systems

go toolchain•cmd/go
≥ 1.24.0-0, < 1.24.0-rc.2
Go•toolchain
≥ 1.24.0-0, < 1.24.0-rc.2