CVE-2023-45285

Public on 2023-12-06
Modified on 2023-12-07
Description
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Severity
Important severity
Important
CVSS v3 Base Score
7.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent Not Affected
Amazon Linux 2023 amazon-cloudwatch-agent Not Affected
Amazon Linux 2 - Core amazon-ecr-credential-helper Not Affected
Amazon Linux 2023 amazon-ecr-credential-helper Not Affected
Amazon Linux 1 amazon-ssm-agent Not Affected
Amazon Linux 2 - Core amazon-ssm-agent Not Affected
Amazon Linux 2023 amazon-ssm-agent Not Affected
Amazon Linux 2 - Core cni-plugins Not Affected
Amazon Linux 2023 cni-plugins Not Affected
Amazon Linux 1 containerd Not Affected
Amazon Linux 2 - Core containerd Not Affected
Amazon Linux 2023 containerd Not Affected
Amazon Linux 2 - Core cri-tools Not Affected
Amazon Linux 1 docker Not Affected
Amazon Linux 2 - Core docker Not Affected
Amazon Linux 2023 docker Not Affected
Amazon Linux 1 ecs-init Not Affected
Amazon Linux 2 - Core ecs-init Not Affected
Amazon Linux 2023 ecs-init Not Affected
Amazon Linux 1 golang Not Affected
Amazon Linux 2 - Core golang Not Affected
Amazon Linux 2023 golang Not Affected
Amazon Linux 1 golist Not Affected
Amazon Linux 2 - Core golist Not Affected
Amazon Linux 2 - Core nerdctl Not Affected
Amazon Linux 2023 nerdctl Not Affected
Amazon Linux 2 - Core oci-add-hooks Not Affected
Amazon Linux 2023 oci-add-hooks Not Affected
Amazon Linux 2 - Core rclone Not Affected
Amazon Linux 1 runc Not Affected
Amazon Linux 2 - Core runc Not Affected
Amazon Linux 2023 runc Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Red Hat: CVE-2023-45285 Mitre: CVE-2023-45285