Go package vulnerable to CVE-2023-45285

Question

Go package vulnerable to CVE-2023-45285

soorajantonyofficial opened this issue 5 months ago · comments

Issue Highlight:

Go package stdlib is vulnerable to CVE-2023-45285.
Severity of exposure for this CVE is marked high as per NIST and MITRE.

The CVE is described as

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

Recommendation:

Since the latest AWS Lambda RIE utilizes stdlib, a patch to upgrade Go binary from 1.20.11 to go1.20.12 or go1.21.5 (or newer) would be an ideal solution to resolve this CVE exposure.

Sagnik Ghoshal · Answer 1 · Thu Mar 07 2024 17:14:34 GMT+0800 (China Standard Time)

@Team, can you please let us know on this issue?

Renato Valenzuela · Answer 2 · Sat Mar 16 2024 01:09:46 GMT+0800 (China Standard Time)

I'm sorry for the delay, there's a new version available now, that uses Go 1.20.14 https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/tag/v1.16