Credentials provided via the new GOAUTH feature were not being properly
segmented by domain, allowing a malicious server to request credentials they
should not have access to. By default, unless otherwise set, this only affected
credentials stored in the users .netrc file.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-45340.
Tracked in http://b/385330440 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1781.
/cc @golang/security and @golang/release
Credentials provided via the new GOAUTH feature were not being properly
segmented by domain, allowing a malicious server to request credentials they
should not have access to. By default, unless otherwise set, this only affected
credentials stored in the users .netrc file.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-45340.
Tracked in http://b/385330440 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1781.
/cc @golang/security and @golang/release