Vulnerability Details : CVE-2023-29403
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
Products affected by CVE-2023-29403
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-29403
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-29403
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2023-29403
-
The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.Assigned by: security@golang.org (Secondary)
-
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-29403
-
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
[security] Go 1.20.5 and Go 1.19.10 are releasedMailing List;Release Notes
-
https://pkg.go.dev/vuln/GO-2023-1840
GO-2023-1840 - Go PackagesVendor Advisory
-
https://go.dev/cl/501223
runtime: implement SUID/SGID protections (501223) · Gerrit Code ReviewPatch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
[SECURITY] Fedora 38 Update: golang-1.20.6-1.fc38 - package-announce - Fedora Mailing-ListsMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
[SECURITY] Fedora 37 Update: golang-1.19.12-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://security.gentoo.org/glsa/202311-09
Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security
-
https://go.dev/issue/60272
runtime: unexpected behavior of setuid/setgid binaries [CVE-2023-29403] · Issue #60272 · golang/go · GitHubIssue Tracking
Jump to