Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-45340

Опубликовано: 28 янв. 2025
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

A flaw was found in the cmd/go package in Golang. A malicious server can access credentials belonging to other servers due to how domains are parsed in the .netrc file, causing a credential leak. By default, this issue only affects credentials stored in the .netrc file.

Отчет

Red Hat Trusted Artifact Signer is not affected by this vulnerability because the vulnerable code was introduced in a newer golang version that is not used by this product.

Меры по смягчению последствий

Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Trusted Artifact Signerrhtas/fulcio-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-201
https://bugzilla.redhat.com/show_bug.cgi?id=2342465cmd/go: golang: GOAUTH credential leak in cmd/go

EPSS

Процентиль: 35%
0.00142
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-45340

CVSS3: 8.8
ubuntu
12 месяцев назад

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

nvd логотип

CVE-2024-45340

CVSS3: 8.8
nvd
12 месяцев назад

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

debian логотип

CVE-2024-45340

CVSS3: 8.8
debian
12 месяцев назад

Credentials provided via the new GOAUTH feature were not being properl ...

github логотип

GHSA-v5qx-579h-rr6f

CVSS3: 8.8
github
12 месяцев назад

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

fstec логотип

BDU:2025-02786

CVSS3: 7.1
fstec
около 1 года назад

Уязвимость компонента cmd/go функции GOAUTH библиотеки go языка программирования Golang, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 35%
0.00142
Низкий

7.5 High

CVSS3