#VU83929 Missing Encryption of Sensitive Data in Go programming language - CVE-2023-45285
Published: December 6, 2023
Vulnerability identifier: #VU83929
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-45285
CWE-ID: CWE-311
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to a fallback to insecure git. Using "go get" to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. OPROXY=off).
Remediation
Install updates from vendor's website.