Search for vulnerabilities
Vulnerability details: VCID-1rcr-aez1-aaam
Vulnerability ID VCID-1rcr-aez1-aaam
Aliases CVE-2023-29403
Summary On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-668 Exposure of Resource to Wrong Sphere
CWE-642 External Control of Critical State Data
System Score Found at
cvssv3 7.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29403.json
epss 0.0001 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.0008 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00091 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00096 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00096 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00096 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 0.00111 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
epss 8e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-29403
cvssv3.1 7.8 https://go.dev/cl/501223
ssvc Track https://go.dev/cl/501223
cvssv3.1 7.8 https://go.dev/issue/60272
ssvc Track https://go.dev/issue/60272
cvssv3.1 7.8 https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
ssvc Track https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
cvssv3.1 7.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
cvssv3.1 7.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
cvssv3 7.8 https://nvd.nist.gov/vuln/detail/CVE-2023-29403
cvssv3.1 7.8 https://nvd.nist.gov/vuln/detail/CVE-2023-29403
cvssv3.1 7.8 https://pkg.go.dev/vuln/GO-2023-1840
ssvc Track https://pkg.go.dev/vuln/GO-2023-1840
cvssv3.1 7.8 https://security.gentoo.org/glsa/202311-09
ssvc Track https://security.gentoo.org/glsa/202311-09
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29403.json
https://api.first.org/data/v1/epss?cve=CVE-2023-29403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29403
https://go.dev/cl/501223
https://go.dev/issue/60272
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
https://pkg.go.dev/vuln/GO-2023-1840
https://security.netapp.com/advisory/ntap-20241220-0009/
2216965 https://bugzilla.redhat.com/show_bug.cgi?id=2216965
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
CVE-2023-29403 https://nvd.nist.gov/vuln/detail/CVE-2023-29403
GLSA-202311-09 https://security.gentoo.org/glsa/202311-09
RHSA-2023:3920 https://access.redhat.com/errata/RHSA-2023:3920
RHSA-2023:3922 https://access.redhat.com/errata/RHSA-2023:3922
RHSA-2023:3923 https://access.redhat.com/errata/RHSA-2023:3923
USN-7061-1 https://usn.ubuntu.com/7061-1/
USN-7109-1 https://usn.ubuntu.com/7109-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29403.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://go.dev/cl/501223
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:53:25Z/ Found at https://go.dev/cl/501223
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://go.dev/issue/60272
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:53:25Z/ Found at https://go.dev/issue/60272
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:53:25Z/ Found at https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:53:25Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:53:25Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29403
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29403
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://pkg.go.dev/vuln/GO-2023-1840
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:53:25Z/ Found at https://pkg.go.dev/vuln/GO-2023-1840
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202311-09
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-01-06T19:53:25Z/ Found at https://security.gentoo.org/glsa/202311-09
Exploit Prediction Scoring System (EPSS)
Percentile 0.00692
EPSS Score 0.0001
Published At June 27, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.