2342465 – (CVE-2024-45340) CVE-2024-45340 cmd/go: golang: GOAUTH credential leak in cmd/go

Bug 2342465 (CVE-2024-45340) - CVE-2024-45340 cmd/go: golang: GOAUTH credential leak in cmd/go

Summary: CVE-2024-45340 cmd/go: golang: GOAUTH credential leak in cmd/go

Keywords:
Status:	NEW
Alias:	CVE-2024-45340
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-01-28 02:01 UTC by OSIDB Bzimport
Modified:	2025-02-04 17:49 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-01-28 02:01:22 UTC

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

Note You need to log in before you can comment on or make changes to this bug.

aprice
bkabrda
caswilli
dfreiber
drow
jburrell
jdobes
jsamir
kaycoth
lball
ljawale
luizcosta
mpierce
ngough
nweather
orabin
psegedy
rbobbitt
veshanka
vkumar
zkayyali