Input validation error in Go programming language - CVE-2023-45284
Published: November 17, 2023
Vulnerability identifier: #VU83254
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-45284
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Go programming language
Go programming language
Detailed vulnerability description
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to the IsLocal() function from the path/filepath package does not correctly detect reserved device names in some cases when executed on Windows. Reserved names followed by spaces, such as "COM1 ", and reserved names
"COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly
reported as local. A local user can abuse such behavior and bypass implemented security restrictions.
How to mitigate CVE-2023-45284
Install updates from vendor's website.