CVE-2022-23773Interpretation Conflict in GO

CWE-436Interpretation ConflictCWE-266Incorrect Privilege AssignmentCWE-863Incorrect Authorization8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 69.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Golang GO
Timeline
PublishedFeb 11
Latest updateAug 1

Description

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDgolang/go1.17.01.17.7+1

🔴Vulnerability Details

4
OSV
Incorrect access control in the go command in cmd/go/internal/modfetch2022-08-01
GHSA
GHSA-52j8-p7r3-733m: cmd/go in Go before 12022-02-12
CVEList
CVE-2022-23773: cmd/go in Go before 12022-02-11
OSV
CVE-2022-23773: cmd/go in Go before 12022-02-11

📋Vendor Advisories

3
Red Hat
golang: cmd/go: misinterpretation of branch names can lead to incorrect access control2022-02-11
Microsoft
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able 2022-02-08
Debian
CVE-2022-23773: golang-1.15 - cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch nam...2022
CVE-2022-23773 — Interpretation Conflict in Golang GO | cvebase