{"id":"GO-2023-2383","summary":"Command 'go get' may unexpectedly fallback to insecure git in cmd/go","details":"Using go get to fetch a module with the \".git\" suffix may unexpectedly fallback to the insecure \"git://\" protocol if the module is unavailable via the secure \"https://\" and \"git+ssh://\" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).","aliases":["BIT-golang-2023-45285","CVE-2023-45285"],"modified":"2026-02-04T02:22:56.854538Z","published":"2023-12-06T16:22:51Z","related":["CGA-fxmm-m535-wqj5","RHSA-2024:0887","RHSA-2024:1041","RHSA-2024:1131"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-2383"},"references":[{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ"},{"type":"REPORT","url":"https://go.dev/issue/63845"},{"type":"FIX","url":"https://go.dev/cl/540257"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.20.12"},{"introduced":"1.21.0-0"},{"fixed":"1.21.5"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2383.json"}}],"schema_version":"1.7.3","credits":[{"name":"David Leadbeater"}]}