Vulnerability CVE-2022-23773: Information
Description
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
golang | sisyphus | 1.17.7-alt1 | 1.22.2-alt1 | ALT-PU-2022-1265-1 | 295238 | Fixed |
golang | sisyphus_riscv64 | 1.17.7-alt1 | 1.22.2-alt1 | ALT-PU-2022-4022-1 | - | Fixed |
golang | p10 | 1.16.14-alt1 | 1.21.9-alt1 | ALT-PU-2022-1283-1 | 295237 | Fixed |
golang | p9 | 1.19.12-alt1 | 1.15.15-alt1 | ALT-PU-2023-5153-1 | 326713 | Testing |
golang | c10f1 | 1.16.14-alt1 | 1.21.9-alt1 | ALT-PU-2022-1283-1 | 295237 | Fixed |
golang | c9f2 | 1.16.15-alt1.c9 | 1.20.11-alt1 | ALT-PU-2022-1435-1 | 296257 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ |
|
https://security.netapp.com/advisory/ntap-20220225-0006/ |
|
N/A |
|
GLSA-202208-02 |
|