{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45340", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2024-08-27T19:41:58.556Z", "datePublished": "2025-01-28T01:03:24.605Z", "dateUpdated": "2025-01-30T19:14:21.639Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-01-30T19:14:21.639Z"}, "title": "GOAUTH credential leak in cmd/go", "descriptions": [{"lang": "en", "value": "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file."}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "collectionURL": "https://pkg.go.dev", "packageName": "cmd/go", "versions": [{"version": "1.24.0-0", "lessThan": "1.24.0-rc.2", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "references": [{"url": "https://go.dev/cl/643097"}, {"url": "https://go.dev/issue/71249"}, {"url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3383"}], "credits": [{"lang": "en", "value": "Juho Fors\u00e9n of Mattermost"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-28T14:57:35.666224Z", "id": "CVE-2024-45340", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T15:16:48.229Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-45340", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-28T14:57:35.666224Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T14:47:10.881Z"}}], "cna": {"title": "GOAUTH credential leak in cmd/go", "credits": [{"lang": "en", "value": "Juho Fors\u00e9n of Mattermost"}], "affected": [{"vendor": "Go toolchain", "product": "cmd/go", "versions": [{"status": "affected", "version": "1.24.0-0", "lessThan": "1.24.0-rc.2", "versionType": "semver"}], "packageName": "cmd/go", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/cl/643097"}, {"url": "https://go.dev/issue/71249"}, {"url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3383"}], "descriptions": [{"lang": "en", "value": "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-01-30T19:14:21.639Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45340", "state": "PUBLISHED", "dateUpdated": "2025-01-30T19:14:21.639Z", "dateReserved": "2024-08-27T19:41:58.556Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2025-01-28T01:03:24.605Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file."}, {"lang": "es", "value": "Las credenciales proporcionadas a trav\u00e9s de la nueva funci\u00f3n GOAUTH no se segmentaban correctamente por dominio, lo que permit\u00eda que un servidor malintencionado solicitara credenciales a las que no deber\u00eda tener acceso. De forma predeterminada, a menos que se configure lo contrario, esto solo afectaba a las credenciales almacenadas en el archivo .netrc de los usuarios."}], "id": "CVE-2024-45340", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-28T02:15:29.050", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/643097"}, {"source": "security@golang.org", "url": "https://go.dev/issue/71249"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2025-3383"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "cmd/go: golang: GOAUTH credential leak in cmd/go", "id": "2342465", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342465"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.", "A flaw was found in the cmd/go package in Golang. A malicious server can access credentials belonging to other servers due to how domains are parsed in the .netrc file, causing a credential leak. By default, this issue only affects credentials stored in the .netrc file."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-45340", "package_state": [{"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Not affected", "package_name": "rhtas/fulcio-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2025-01-28T01:03:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45340\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45340\nhttps://go.dev/cl/643097\nhttps://go.dev/issue/71249\nhttps://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ\nhttps://pkg.go.dev/vuln/GO-2025-3383"], "statement": "Red Hat Trusted Artifact Signer is not affected by this vulnerability because the vulnerable code was introduced in a newer golang version that is not used by this product.", "threat_severity": "Important"}

{}