Vulnerability CVE-2022-23773: Information

Description

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-23773
Published: Feb. 11, 2022
Modified: Aug. 8, 2023
Error type identifier: CWE-436

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
golangsisyphus1.17.7-alt11.22.2-alt1ALT-PU-2022-1265-1295238Fixed
golangsisyphus_riscv641.17.7-alt11.22.2-alt1ALT-PU-2022-4022-1-Fixed
golangp101.16.14-alt11.21.9-alt1ALT-PU-2022-1283-1295237Fixed
golangp91.19.12-alt11.15.15-alt1ALT-PU-2023-5153-1326713Testing
golangc10f11.16.14-alt11.21.9-alt1ALT-PU-2022-1283-1295237Fixed
golangc9f21.16.15-alt1.c91.20.11-alt1ALT-PU-2022-1435-1296257Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
  • Release Notes
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20220225-0006/
  • Third Party Advisory
N/A
  • Third Party Advisory
GLSA-202208-02
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
      Start including
      1.17.0
      End excliding
      1.17.7
      cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
      End excliding
      1.16.14

      Configuration 2

      cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
      cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*
      cpe:2.3:a:netapp:kubernetes_monitoring_operator:-:*:*:*:*:*:*:*
      cpe:2.3:a:netapp:beegfs_csi_driver:-:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.4.2
Back to top