#VU83254 Input validation error in Go programming language


Published: 2023-11-17

Vulnerability identifier: #VU83254

Vulnerability risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-45284

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the IsLocal() function from the path/filepath package does not correctly detect reserved device names in some cases when executed on Windows. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. A local user can abuse such behavior and bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.21 rc1 - 1.21.3, 1.20 - 1.20.10

External links
http://go.dev/issue/63713
http://go.dev/cl/540277
http://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
http://pkg.go.dev/vuln/GO-2023-2186

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM CICS TX Standard
Amazon Linux AMI update for golang
SUSE update for go1.20-openssl
SUSE update for go1.21-openssl
Multiple vulnerabilities in HashiCorp Consul
SUSE update for go1.20
SUSE update for go1.21
SUSE update for go1.21-openssl
SUSE update for go1.20
SUSE update for go1.21