CVE-2023-45284: Incorrect detection of reserved device names on Windows in path/filepath
First published: Thu Nov 09 2023(Updated: )
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.
Credit: security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | <1.20.11 | |
| Golang Go | >=1.21.0-0<1.21.4 | |
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-45284?
CVE-2023-45284 is a vulnerability that affects the path/filepath package in Golang Go.
What is the severity of CVE-2023-45284?
CVE-2023-45284 has a severity of medium, with a severity value of 5.3.
How does CVE-2023-45284 affect Golang Go?
CVE-2023-45284 affects Golang Go versions up to 1.20.11 and versions 1.21.0-0 to 1.21.4.
How can I fix CVE-2023-45284?
To fix CVE-2023-45284, update Golang Go to a version that is not vulnerable, such as version 1.20.12 or 1.21.5.
Where can I find more information about CVE-2023-45284?
You can find more information about CVE-2023-45284 in the references provided: [Link 1](https://go.dev/issue/63713), [Link 2](https://go.dev/cl/540277), [Link 3](https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY).
- collector/mitre-cve
- collector/nvd-api
- vendor/golang
- canonical/golang go
- version/golang go/1.21.0-0
- vendor/microsoft
- canonical/microsoft windows