#VU83254 Input validation error in Go programming language - CVE-2023-45284
Published: November 17, 2023
Vulnerability identifier: #VU83254
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-45284
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to the IsLocal() function from the path/filepath package does not correctly detect reserved device names in some cases when executed on Windows. Reserved names followed by spaces, such as "COM1 ", and reserved names
"COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly
reported as local. A local user can abuse such behavior and bypass implemented security restrictions.
Remediation
Install updates from vendor's website.