CVE-2022-23773
published 2022-02-11CVE-2022-23773: cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.70%
84.0th percentile
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.15-1~deb11u3 (bullseye) | golang-1.15 1.15.15-1~deb11u3 (bullseye) |
| golang | go | < 1.16.14 | 1.16.14 |
| golang | go | >= 1.17.0 < 1.17.7 | 1.17.7 |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_golang_1.17.8-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_golang_1.16.14-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
vendor_redhat·2022-02-11·CVSS 7.5
CVE-2022-23773 [HIGH] CWE-266 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.
Package: cpma (Migration Toolkit for Containers) - Affected
Package: rhmtc/openshift-migration-velero-rhel8 (Migration Toolkit for Containers) - Affec
Microsoft
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able
vendor_msrc·2022-02-08·CVSS 7.5
CVE-2022-23773 [HIGH] CWE-436 cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products i
Debian
CVE-2022-23773: golang-1.15 - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch nam...
vendor_debian·2022·CVSS 7.5
CVE-2022-23773 [HIGH] CVE-2022-23773: golang-1.15 - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch nam...
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
Scope: local
bullseye: resolved (fixed in 1.15.15-1~deb11u3)
OSV
Incorrect access control in the go command in cmd/go/internal/modfetch
osv·2022-08-01
CVE-2022-23773 Incorrect access control in the go command in cmd/go/internal/modfetch
Incorrect access control in the go command in cmd/go/internal/modfetch
Incorrect access control is possible in the go command.
The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.
GHSA
GHSA-52j8-p7r3-733m: cmd/go in Go before 1
ghsa_unreviewed·2022-02-12
CVE-2022-23773 [HIGH] CWE-863 GHSA-52j8-p7r3-733m: cmd/go in Go before 1
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
OSV
CVE-2022-23773: cmd/go in Go before 1
osv·2022-02-11·CVSS 7.5
CVE-2022-23773 [HIGH] CVE-2022-23773: cmd/go in Go before 1
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQhttps://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220225-0006/https://www.oracle.com/security-alerts/cpujul2022.htmlhttps://groups.google.com/g/golang-announce/c/SUsQn0aSgPQhttps://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220225-0006/https://www.oracle.com/security-alerts/cpujul2022.html
2022-02-11
Published