Go package vulnerable to CVE-2023-45285
soorajantonyofficial opened this issue · comments
Issue Highlight:
Go package stdlib is vulnerable to CVE-2023-45285.
Severity of exposure for this CVE is marked high as per NIST and MITRE.
The CVE is described as
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).
Recommendation:
Since the latest AWS Lambda RIE utilizes stdlib, a patch to upgrade Go binary from 1.20.11 to go1.20.12 or go1.21.5 (or newer) would be an ideal solution to resolve this CVE exposure.
@Team, can you please let us know on this issue?
I'm sorry for the delay, there's a new version available now, that uses Go 1.20.14 https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/tag/v1.16