Skip to content

Commit

Permalink
data/reports: add GO-2023-2383.yaml
Browse files Browse the repository at this point in the history
Aliases: CVE-2023-45285

Updates #2383

Change-Id: I89d9f9fef83beef4fa0fb80a8835e9c9986a1c9d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547559
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
  • Loading branch information
tatianab committed Dec 6, 2023
1 parent 35b48f5 commit ddd21a4
Show file tree
Hide file tree
Showing 3 changed files with 167 additions and 0 deletions.
74 changes: 74 additions & 0 deletions data/cve/v5/GO-2023-2383.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{
"dataType": "CVE_RECORD",
"dataVersion": "5.0",
"cveMetadata": {
"cveId": "CVE-2023-45285"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
},
"title": "Command 'go get' may unexpectedly fallback to insecure git in cmd/go",
"descriptions": [
{
"lang": "en",
"value": "Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off)."
}
],
"affected": [
{
"vendor": "Go toolchain",
"product": "cmd/go",
"collectionURL": "https://pkg.go.dev",
"packageName": "cmd/go",
"versions": [
{
"version": "0",
"lessThan": "1.20.12",
"status": "affected",
"versionType": "semver"
},
{
"version": "1.21.0-0",
"lessThan": "1.21.5",
"status": "affected",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-636: Not Failing Securely ('Failing Open')"
}
]
}
],
"references": [
{
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
},
{
"url": "https://go.dev/issue/63845"
},
{
"url": "https://go.dev/cl/540257"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-2383"
}
],
"credits": [
{
"lang": "en",
"value": "David Leadbeater"
}
]
}
}
}
67 changes: 67 additions & 0 deletions data/osv/GO-2023-2383.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
{
"schema_version": "1.3.1",
"id": "GO-2023-2383",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-45285"
],
"summary": "Command 'go get' may unexpectedly fallback to insecure git in cmd/go",
"details": "Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).",
"affected": [
{
"package": {
"name": "toolchain",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.12"
},
{
"introduced": "1.21.0-0"
},
{
"fixed": "1.21.5"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "cmd/go"
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/63845"
},
{
"type": "FIX",
"url": "https://go.dev/cl/540257"
}
],
"credits": [
{
"name": "David Leadbeater"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-2383"
}
}
26 changes: 26 additions & 0 deletions data/reports/GO-2023-2383.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
id: GO-2023-2383
modules:
- module: cmd
versions:
- fixed: 1.20.12
- introduced: 1.21.0-0
fixed: 1.21.5
vulnerable_at: 1.21.4
packages:
- package: cmd/go
summary: Command 'go get' may unexpectedly fallback to insecure git in cmd/go
description: |-
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback
to the insecure "git://" protocol if the module is unavailable via the secure
"https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said
module. This only affects users who are not using the module proxy and are
fetching modules directly (i.e. GOPROXY=off).
credits:
- David Leadbeater
references:
- web: https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
- report: https://go.dev/issue/63845
- fix: https://go.dev/cl/540257
cve_metadata:
id: CVE-2023-45285
cwe: 'CWE-636: Not Failing Securely (''Failing Open'')'

0 comments on commit ddd21a4

Please sign in to comment.