What is CVE-2023-29403?

CVE-2023-29403 is a vulnerability in the Go programming language on Unix platforms, where the Go runtime does not behave differently when a binary is run with the setuid/setgid bits, which can be dangerous in certain cases.

What is the severity of CVE-2023-29403?

The severity of CVE-2023-29403 is high with a severity value of 7.8.

Which software versions are affected by CVE-2023-29403?

The affected software versions are Go up to version 1.19.10, Go versions 1.20.0 to 1.20.5, and Fedora version 38.

How can CVE-2023-29403 be exploited?

CVE-2023-29403 can be exploited by executing a setuid/setgid binary with standard I/O, allowing for dangerous actions like dumping memory state or assuming the status of standard I/O file descriptors.

Are there any references available for CVE-2023-29403?

Yes, you can find references for CVE-2023-29403 at the following links: [link1](https://go.dev/cl/501223), [link2](https://go.dev/issue/60272), [link3](https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ)

Vulnerability/
CVE-2023-29403

high

7.8

CWE

668 642

8/6/2023

21/10/2024

CVE-2023-29403: Unsafe behavior in setuid/setgid binaries in runtime

First published: Thu Jun 08 2023(Updated: )

Golang Go could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw when a binary is run with the setuid/setgid bits. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges. to read or write contents of the registers.

Credit: security@golang.org security@golang.org security@golang.org

Affected Software	Affected Version	How to fix
Golang Go	<1.19.10
Golang Go	>=1.20.0<1.20.5
Fedoraproject Fedora	=38
redhat/go	<1.20.5	1.20.5
redhat/go	<1.19.10	1.19.10
debian/golang-1.15	<=1.15.15-1~deb11u4
debian/golang-1.19	<=1.19.8-2
IBM Concert Software	<=1.0.0 - 1.0.1

Remedy

https://go.dev/cl/501223

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7173596

Frequently Asked Questions

What is CVE-2023-29403?
CVE-2023-29403 is a vulnerability in the Go programming language on Unix platforms, where the Go runtime does not behave differently when a binary is run with the setuid/setgid bits, which can be dangerous in certain cases.
What is the severity of CVE-2023-29403?
The severity of CVE-2023-29403 is high with a severity value of 7.8.
Which software versions are affected by CVE-2023-29403?
The affected software versions are Go up to version 1.19.10, Go versions 1.20.0 to 1.20.5, and Fedora version 38.
How can CVE-2023-29403 be exploited?
CVE-2023-29403 can be exploited by executing a setuid/setgid binary with standard I/O, allowing for dangerous actions like dumping memory state or assuming the status of standard I/O file descriptors.
Are there any references available for CVE-2023-29403?
Yes, you can find references for CVE-2023-29403 at the following links: [link1](https://go.dev/cl/501223), [link2](https://go.dev/issue/60272), [link3](https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ)

collector/nvd-index
agent/weakness
agent/type
agent/first-publish-date
agent/title
agent/remedy
collector/nvd-api
agent/software-canonical-lookup-request
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-29403
agent/software-canonical-lookup
agent/severity
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/launchpad-cve
source/Launchpad
collector/security-tracker-debian
source/Debian
collector/nvd-cve
source/NVD
agent/references
agent/author
agent/softwarecombine
agent/tags
collector/usn-cve
source/Ubuntu
agent/description
agent/event
collector/ibm-support
source/IBM
vendor/golang
canonical/golang go
version/golang go/1.20.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/38
package-manager/redhat
package-manager/debian
vendor/ibm
canonical/ibm concert software
version/ibm concert software/1.0.0 - 1.0.1