Lucene search

K
nvd[email protected]NVD:CVE-2023-29403
HistoryJun 08, 2023 - 9:15 p.m.

CVE-2023-29403

2023-06-0821:15:16
CWE-668
web.nvd.nist.gov
go runtime
unix platforms
setuid
setgid
binary
standard i/o
file descriptors
elevated privileges
terminated
vulnerability

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.3%

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Affected configurations

NVD
Node
golanggoRange<1.19.10
OR
golanggoRange1.20.0โ€“1.20.5
Node
fedoraprojectfedoraMatch38

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.3%