CVE-2023-29403

Unsafe behavior in setuid/setgid binaries in runtime

Description

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.01%
Vendor Advisory go.dev
Affected: Go standard library runtime
Published at:
Updated at:

References

Link Tags
https://go.dev/issue/60272 issue tracking
https://go.dev/cl/501223 patch
https://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ release notes mailing list
https://pkg.go.dev/vuln/GO-2023-1840 vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBS3IIK6ADV24C5ULQU55QLT2UE762ZX/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZ2O6YCO2IZMZJELQGZYR2WAUNEDLYV6/
https://security.gentoo.org/glsa/202311-09
https://security.netapp.com/advisory/ntap-20241220-0009/

Frequently Asked Questions

What is the severity of CVE-2023-29403?
CVE-2023-29403 has been scored as a high severity vulnerability.
How to fix CVE-2023-29403?
To fix CVE-2023-29403, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-29403 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-29403 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-29403?
CVE-2023-29403 affects Go standard library runtime.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.