CVE-2022-23773
HIGH7.5EPSS 0.12%Incorrect access control in the go command in cmd/go/internal/modfetch
Published: 8/1/2022Modified: 4/28/2026
Description
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
Affected packages (3)
- Bitnami/golangfrom 0, < 1.16.14, >= 1.17.0, < 1.17.7
- Debian/golang-1.15from 0, < 1.15.15-1~deb11u3
- Go/toolchainfrom 0, < 1.16.14, >= 1.17.0-0, < 1.17.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (9)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23773
- PATCHhttps://go.dev/cl/378400
- PATCHhttps://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
- REPORThttps://go.dev/issue/35671
- WEBhttps://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-23773
- WEBhttps://security.gentoo.org/glsa/202208-02
- WEBhttps://security.netapp.com/advisory/ntap-20220225-0006/
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html