CVE-2023-29403 - Privilege Escalation Risk in gosu (setuid/setgid misuse)

Severity: None2025-08-05

Security Advisories

Abstract

The Go runtime, when used with gosu, does not apply different behavior for binaries executed with setuid/setgid bits. This can lead to privilege escalation in scenarios where I/O file descriptors are closed or manipulated. This vulnerability is identified as CVE-2023-29403 and primarily affects Unix platforms.

In affected environments, a compromised binary could open sensitive file descriptors under elevated privileges or leak memory/register content if terminated improperly. Oxygen Content Fusion included gosu in specific Redis-based initialization containers.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v7.0 and olderNone Oxygen Content Fusion 7.1 build 2024100818

Mitigation

None

Detail

CVE-2023-29403

Severity: High

CVSS Score: 7.8

On Unix systems, the Go runtime does not isolate setuid/setgid behavior. When a Go-based utility like gosu is executed with standard I/O file descriptors closed, it can result in unexpected behavior such as reading/writing elevated data or leaking registers.

Content Fusion versions up to v7.0 included gosu v1.12, which did not include mitigations for CVE-2023-29403. However, gosu was not configured with setuid/setgid, rendering the vulnerability non-exploitable in Content Fusion environment.

Starting with Content Fusion v7.1 build 2024100818, the gosu binary was removed entirely from Redis containers to prevent any future exposure to such runtime issues.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
ConVEx Pittsburgh
April 13-15, 2026 Pittsburgh, USA

Products

Features

Shop

Resources

Support

Company

© 2002-2026 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor