CVE-2022-23773
golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
cmd/go en Go versiones anteriores a 1.16.14 y versiones 1.17.x anteriores a 1.17.7, puede malinterpretar nombres de rama que falsamente parecen ser etiquetas de versiĆ³n. Esto puede conllevar a un control de acceso incorrecto si supone que un actor puede crear ramas pero no etiquetas
A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-20 CVE Reserved
- 2022-02-11 CVE Published
- 2022-09-16 First Exploit
- 2024-08-03 CVE Updated
- 2024-10-27 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-436: Interpretation Conflict
- CWE-1220: Insufficient Granularity of Access Control
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20220225-0006 | Third Party Advisory | |
https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/danbudris/CVE-2022-23773-repro | 2022-09-16 | |
https://github.com/danbudris/CVE-2022-23773-repro-target | 2022-09-16 | |
https://github.com/YouShengLiu/CVE-2022-23773-Reproduce | 2023-05-31 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ | 2023-08-08 | |
https://security.gentoo.org/glsa/202208-02 | 2023-08-08 | |
https://access.redhat.com/security/cve/CVE-2022-23773 | 2023-03-30 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2053541 | 2023-03-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | < 1.16.14 Search vendor "Golang" for product "Go" and version " < 1.16.14" | - |
Affected
| ||||||
Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.17.0 < 1.17.7 Search vendor "Golang" for product "Go" and version " >= 1.17.0 < 1.17.7" | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Beegfs Csi Driver Search vendor "Netapp" for product "Beegfs Csi Driver" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Cloud Insights Telegraf Agent Search vendor "Netapp" for product "Cloud Insights Telegraf Agent" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Kubernetes Monitoring Operator Search vendor "Netapp" for product "Kubernetes Monitoring Operator" | - | - |
Affected
| ||||||
Netapp Search vendor "Netapp" | Storagegrid Search vendor "Netapp" for product "Storagegrid" | - | - |
Affected
|