Lucene search

K
cvelistGoCVELIST:CVE-2023-29403
HistoryJun 08, 2023 - 8:19 p.m.

CVE-2023-29403 Unsafe behavior in setuid/setgid binaries in runtime

2023-06-0820:19:13
Go
www.cve.org

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.9%

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "runtime",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "runtime",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.19.10",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.20.0-0",
        "lessThan": "1.20.5",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]