CVE-2023-29403

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://go.dev/cl/501223	Patch
https://go.dev/issue/60272	Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ	Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/	Mailing List
https://pkg.go.dev/vuln/GO-2023-1840	Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://go.dev/cl/501223	Patch
https://go.dev/issue/60272	Issue Tracking
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ	Mailing List Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/	Mailing List
https://pkg.go.dev/vuln/GO-2023-1840	Vendor Advisory
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20241220-0009/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

History

06 Jan 2025, 20:15

Type	Values Removed	Values Added
Summary		(es) En las plataformas Unix, el entorno de ejecución de Go no se comporta de forma diferente cuando se ejecuta un binario con los bits setuid/setgid. Esto puede ser peligroso en ciertos casos, como cuando se vuelca el estado de la memoria o se asume el estado de los descriptores de archivos de E/S estándar. Si se ejecuta un binario setuid/setgid con los descriptores de archivos de E/S estándar cerrados, la apertura de cualquier archivo puede provocar que se lea o escriba contenido inesperado con privilegios elevados. De manera similar, si se finaliza un programa setuid/setgid, ya sea por pánico o señal, puede filtrar el contenido de sus registros.

20 Dec 2024, 13:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20241220-0009/ -

21 Nov 2024, 07:56

Type	Values Removed	Values Added
References	~~() https://go.dev/cl/501223 - Patch~~	() https://go.dev/cl/501223 - Patch
References	~~() https://go.dev/issue/60272 - Issue Tracking~~	() https://go.dev/issue/60272 - Issue Tracking
References	~~() https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ - Mailing List, Release Notes~~	() https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ - Mailing List, Release Notes
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ - Mailing List~~	() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ - Mailing List
References	~~() https://pkg.go.dev/vuln/GO-2023-1840 - Vendor Advisory~~	() https://pkg.go.dev/vuln/GO-2023-1840 - Vendor Advisory
References	~~() https://security.gentoo.org/glsa/202311-09 -~~	() https://security.gentoo.org/glsa/202311-09 -

25 Nov 2023, 11:15

Type	Values Removed	Values Added
References		() https://security.gentoo.org/glsa/202311-09 -

Information

Published : 2023-06-08 21:15

Updated : 2025-01-06 20:15

NVD link : CVE-2023-29403

Mitre link : CVE-2023-29403

CVE.ORG link : CVE-2023-29403

JSON object : View

Products Affected

fedoraproject

fedora

golang

CWE

CWE-668

Exposure of Resource to Wrong Sphere

7.8 /10