blob: d0734021143cbb676ab6d05f3998697fe4c46899 [file] [log] [blame]
Copyright 2024 The Go Authors. All rights reserved.
Use of this source code is governed by a BSD-style
license that can be found in the LICENSE file.
Expected output of TestCVEToReport/CVE-2023-45285.
-- CVE-2023-45285 --
id: GO-ID-PENDING
modules:
- module: std
packages:
- package: cmd/go
summary: CVE-2023-45285 in cmd/go
description: |-
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback
to the insecure "git://" protocol if the module is unavailable via the secure
"https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said
module. This only affects users who are not using the module proxy and are
fetching modules directly (i.e. GOPROXY=off).
references:
- web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
- report: https://go.dev/issue/63845
- fix: https://go.dev/cl/540257
cve_metadata:
id: CVE-2023-45285
cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'
source:
id: CVE-2023-45285