GO-2023-2383

Source
https://pkg.go.dev/vuln/GO-2023-2383
Import Source
https://vuln.go.dev/ID/GO-2023-2383.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2023-2383
Aliases
Related
Published
2023-12-06T16:22:51Z
Modified
2024-05-20T16:03:47Z
Summary
Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Details

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-2383"
}
References
Credits
    • David Leadbeater

Affected packages

Go / toolchain

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.20.12
Introduced
1.21.0-0
Fixed
1.21.5

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go"
        }
    ]
}