Vulnerability Report: GO-2023-2383

  • CVE-2023-45285
  • Affects: cmd/go
  • Published: Dec 06, 2023

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Affected Packages

  • Path
    Versions
    Symbols
  • cmd/go
    before go1.20.12, from go1.21.0-0 before go1.21.5
    all symbols

Aliases

References

Credits

  • David Leadbeater

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.