// For flags

CVE-2022-23773

golang: cmd/go: misinterpretation of branch names can lead to incorrect access control

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

cmd/go en Go versiones anteriores a 1.16.14 y versiones 1.17.x anteriores a 1.17.7, puede malinterpretar nombres de rama que falsamente parecen ser etiquetas de versiĆ³n. Esto puede conllevar a un control de acceso incorrecto si supone que un actor puede crear ramas pero no etiquetas

A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-20 CVE Reserved
  • 2022-02-11 CVE Published
  • 2022-09-16 First Exploit
  • 2024-08-03 CVE Updated
  • 2024-10-27 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-436: Interpretation Conflict
  • CWE-1220: Insufficient Granularity of Access Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Golang
Search vendor "Golang"
Go
Search vendor "Golang" for product "Go"
< 1.16.14
Search vendor "Golang" for product "Go" and version " < 1.16.14"
-
Affected
Golang
Search vendor "Golang"
Go
Search vendor "Golang" for product "Go"
>= 1.17.0 < 1.17.7
Search vendor "Golang" for product "Go" and version " >= 1.17.0 < 1.17.7"
-
Affected
Netapp
Search vendor "Netapp"
Beegfs Csi Driver
Search vendor "Netapp" for product "Beegfs Csi Driver"
--
Affected
Netapp
Search vendor "Netapp"
Cloud Insights Telegraf Agent
Search vendor "Netapp" for product "Cloud Insights Telegraf Agent"
--
Affected
Netapp
Search vendor "Netapp"
Kubernetes Monitoring Operator
Search vendor "Netapp" for product "Kubernetes Monitoring Operator"
--
Affected
Netapp
Search vendor "Netapp"
Storagegrid
Search vendor "Netapp" for product "Storagegrid"
--
Affected