CVE-2022-29526 — Improper Privilege Management in X SYS

CWE-269 — Improper Privilege Management CWE-358 — Improperly Implemented Security Check for Standard12 documents8 sources

Severity

5.3MEDIUMNVD

OSV6.5

EPSS

0.2%

top 59.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X SYS Golang GO Fedoraproject Fedora

Timeline

PublishedJun 23

Latest updateJan 9

Description

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgolang/go1.18.0 — 1.18.2+1

▶Gogolang.org/x_sys< 0.0.0-20220412211240-33da011f77ad

Also affects: Fedora 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

golang-1.13, golang-1.16 vulnerabilities↗2024-01-09

▶

OSV

Incorrect privilege reporting in syscall and golang.org/x/sys/unix↗2022-07-15

▶

OSV

golang.org/x/sys/unix has Incorrect privilege reporting in syscall↗2022-06-24

▶

GHSA

golang.org/x/sys/unix has Incorrect privilege reporting in syscall↗2022-06-24

▶

OSV

CVE-2022-29526: Go before 1↗2022-06-23

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-01-09

▶

Ubuntu

Go vulnerabilities↗2023-04-25

▶

Microsoft

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter the Faccessat function could incorrectly report that a file is accessible.↗2022-06-14

▶

Red Hat

golang: syscall: faccessat checks wrong group↗2022-05-11

▶

Debian

CVE-2022-29526: golang-1.15 - Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. W...↗2022

▶