CVE-2022-23773
HIGH7.5EPSS 0.12%Incorrect access control in the go command in cmd/go/internal/modfetch
發布日:2022/8/1修改日:2026/4/28
描述
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
受影響套件(3)
- Bitnami/golangfrom 0, < 1.16.14, >= 1.17.0, < 1.17.7
- Debian/golang-1.15from 0, < 1.15.15-1~deb11u3
- Go/toolchainfrom 0, < 1.16.14, >= 1.17.0-0, < 1.17.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(9)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23773
- PATCHhttps://go.dev/cl/378400
- PATCHhttps://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
- REPORThttps://go.dev/issue/35671
- WEBhttps://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-23773
- WEBhttps://security.gentoo.org/glsa/202208-02
- WEBhttps://security.netapp.com/advisory/ntap-20220225-0006/
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html