Skip to content

cmd/go: GOAUTH credential leak [CVE-2024-45340] #71249

New issue
New issue
Closed
Closed
cmd/go: GOAUTH credential leak [CVE-2024-45340]#71249
Labels
GoCommandcmd/goNeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
Go1.24
@rolandshoemaker

Description

@rolandshoemaker
rolandshoemaker
opened on Jan 13, 2025

Credentials provided via the new GOAUTH feature were not being properly
segmented by domain, allowing a malicious server to request credentials they
should not have access to. By default, unless otherwise set, this only affected
credentials stored in the users .netrc file.

Thanks to Juho Forsén of Mattermost for reporting this issue.

This is CVE-2024-45340.

Tracked in http://b/385330440 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/1781.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    GoCommandcmd/goNeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions