#VU83255 Input validation error in Go programming language - CVE-2023-45283

Cybersecurity Help s.r.o.

Published: 2023-11-17

Vulnerability identifier: #VU83255

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-45283

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the path/filepath package does not recognize paths with a "??" prefix as Root Local Device path prefix. A local user can abuse such behavior and bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.20 - 1.21.3

External links
https://go.dev/issue/63713
https://go.dev/cl/540277
https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
https://pkg.go.dev/vuln/GO-2023-2185

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Concert Software

Multiple vulnerabilities in IBM Observability with Instana

Splunk Enterprise update for third-party components

Multiple vulnerabilities in Storage Protect Plus Server

Multiple vulnerabilities in IBM Robotic Process Automation

Gentoo update for Go

Amazon Linux AMI update for golang

Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data

Multiple vulnerabilities in IBM Storage Protect Server

Multiple vulnerabilities in IBM Watson Discovery