Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published: 2023-12-06T16:27:55.521Z

Updated: 2024-08-02T20:21:15.349Z

Reserved: 2023-10-06T17:06:26.220Z

Link: CVE-2023-45285

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-12-06T17:15:07.320

Modified: 2024-11-21T08:26:41.953

Link: CVE-2023-45285

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-12-06T00:00:00Z

Links: CVE-2023-45285 - Bugzilla