The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
IPv4-mapped IPv6 addresses are a special format that allows IPv4 addresses to be represented in IPv6 address space (e.g., ::ffff:127.0.0.1 corresponds to 127.0.0.1). The Is* methods in the net/netip package did not treat these addresses the same as their pure IPv4 counterparts, so for example the address ::ffff:192.168.1.1 was not recognized as private. Applications relying on these functions to make security decisions could as a result incorrectly classify an address and allow access that should be blocked.
An attacker can bypass filters based on IP address classification (e.g., blocking private addresses, loopback, or link-local), which depending on the application may result in unauthorized access to resources, privilege escalation, or disclosure of sensitive data.
Apply patches available from the vendor according to the references (fix available at go.dev/cl/590316). It is recommended to update to the latest patched version of Go and review the code of applications using Is* methods in the context of IPv4-mapped IPv6 addresses.
Golang Go — versions indicated in the vendor references (see go.dev/issue/67680 and golang-announce mailing list)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGolang Go
APPGolang< 1.21.111.22.0 – 1.22.4 (bez)
Related vulnerabilities
Błąd arytmetyczny w kompilatorze Golang Go prowadzący do uszkodzenia pamięci
Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów
Golang crypto/tls: błędna walidacja certyfikatów przy wznawianiu sesji TLS
The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relati...
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" o...