Описание
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available.
Отчет
Red Hat rates this issue as Moderate, as the default configuration avoids this behavior, mitigating the vulnerability.
Меры по смягчению последствий
This issue only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off). In order to mitigate this, keep GOPROXY with default values and use a module proxy. This vulnerability is not explored with default GOPROXY value.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 2 | openshift-golang-builder-container | Not affected | ||
| Red Hat OpenShift Virtualization 4 | openshift-golang-builder-container | Affected | ||
| Red Hat Storage 3 | golang | Affected | ||
| Red Hat Developer Tools | go-toolset-1.19-golang | Fixed | RHSA-2024:1041 | 29.02.2024 |
| Red Hat Enterprise Linux 8 | go-toolset | Fixed | RHSA-2024:0887 | 20.02.2024 |
| Red Hat Enterprise Linux 9 | golang | Fixed | RHSA-2024:1131 | 05.03.2024 |
| Red Hat OpenShift Container Platform 4.15 | openshift4/cloud-network-config-controller-rhel8 | Fixed | RHSA-2023:7198 | 27.02.2024 |
| Red Hat OpenShift Container Platform 4.15 | openshift4/egress-router-cni-rhel8 | Fixed | RHSA-2023:7198 | 27.02.2024 |
| Red Hat OpenShift Container Platform 4.15 | openshift4/kube-metrics-server-rhel8 | Fixed | RHSA-2023:7198 | 27.02.2024 |
| Red Hat OpenShift Container Platform 4.15 | openshift4/kubevirt-csi-driver-rhel8 | Fixed | RHSA-2023:7198 | 27.02.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Using go get to fetch a module with the ".git" suffix may unexpectedly ...
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Уязвимость компонента cmd-go языка программирования Go, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
7.5 High
CVSS3