{
  "threat_severity" : "Important",
  "public_date" : "2025-01-28T01:03:24Z",
  "bugzilla" : {
    "description" : "cmd/go: golang: GOAUTH credential leak in cmd/go",
    "id" : "2342465",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2342465"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-201",
  "details" : [ "Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.", "A flaw was found in the cmd/go package in Golang. A malicious server can access credentials belonging to other servers due to how domains are parsed in the .netrc file, causing a credential leak. By default, this issue only affects credentials stored in the .netrc file." ],
  "statement" : "Red Hat Trusted Artifact Signer is not affected by this vulnerability because the vulnerable code was introduced in a newer golang version that is not used by this product.",
  "package_state" : [ {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/fulcio-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-45340\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45340\nhttps://go.dev/cl/643097\nhttps://go.dev/issue/71249\nhttps://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ\nhttps://pkg.go.dev/vuln/GO-2025-3383" ],
  "name" : "CVE-2024-45340",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}