blob: bb5b1a619a71d78d6b7c3c9a8da42b2ed3e33fe7 [file] [log] [blame]
id: GO-2023-2383
modules:
- module: cmd
versions:
- fixed: 1.20.12
- introduced: 1.21.0-0
fixed: 1.21.5
vulnerable_at: 1.21.4
packages:
- package: cmd/go
summary: Command 'go get' may unexpectedly fallback to insecure git in cmd/go
description: |-
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback
to the insecure "git://" protocol if the module is unavailable via the secure
"https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said
module. This only affects users who are not using the module proxy and are
fetching modules directly (i.e. GOPROXY=off).
credits:
- David Leadbeater
references:
- web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
- report: https://go.dev/issue/63845
- fix: https://go.dev/cl/540257
cve_metadata:
id: CVE-2023-45285
cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'