Input validation error in Go programming language

#VU83255 Input validation error in Go programming language

Published: 2023-11-17

Vulnerability identifier: #VU83255

Vulnerability risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-45283

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the path/filepath package does not recognize paths with a "??" prefix as Root Local Device path prefix. A local user can abuse such behavior and bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.21.0 - 1.21.3, 1.20 - 1.20.10

External links
http://go.dev/issue/63713
http://go.dev/cl/540277
http://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
http://pkg.go.dev/vuln/GO-2023-2185

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Event Streams

Multiple vulnerabilities in IBM CICS TX Standard

Amazon Linux AMI update for golang

Multiple vulnerabilities in HashiCorp Consul

Multiple vulnerabilities in AdGuardHome

SUSE update for go1.21-openssl

SUSE update for go1.20

SUSE update for go1.21

SUSE update for go1.20-openssl

Multiple vulnerabilities in Go programming language