{
  "threat_severity" : "Important",
  "public_date" : "2023-06-08T00:00:00Z",
  "bugzilla" : {
    "description" : "golang: runtime: unexpected behavior of setuid/setgid binaries",
    "id" : "2216965",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2216965"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-668",
  "details" : [ "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.", "On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state or assuming the status of standard I/O file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Tools",
    "release_date" : "2023-06-29T00:00:00Z",
    "advisory" : "RHSA-2023:3920",
    "cpe" : "cpe:/a:redhat:devtools:2023::el7",
    "package" : "go-toolset-1.19-0:1.19.10-1.el7_9"
  }, {
    "product_name" : "Red Hat Developer Tools",
    "release_date" : "2023-06-29T00:00:00Z",
    "advisory" : "RHSA-2023:3920",
    "cpe" : "cpe:/a:redhat:devtools:2023::el7",
    "package" : "go-toolset-1.19-golang-0:1.19.10-1.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-06-29T00:00:00Z",
    "advisory" : "RHSA-2023:3922",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "go-toolset:rhel8-8080020230627164522.6b4b45d8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-06-29T00:00:00Z",
    "advisory" : "RHSA-2023:3923",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "golang-0:1.19.10-1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-06-29T00:00:00Z",
    "advisory" : "RHSA-2023:3923",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "go-toolset-0:1.19.10-1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Affected",
    "package_name" : "golang",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Not affected",
    "package_name" : "openshift-gitops-1/argo-rollouts-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Affected",
    "package_name" : "golang",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Affected",
    "package_name" : "go-toolset-7-golang",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-29403\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-29403\nhttps://go.dev/cl/501223\nhttps://go.dev/issue/60272\nhttps://groups.google.com/g/golang-announce/c/q5135a9d924/m/j0ZoAJOHAwAJ\nhttps://pkg.go.dev/vuln/GO-2023-1840" ],
  "name" : "CVE-2023-29403",
  "csaw" : false
}