CVE-2022-23773
Aliases:GO-2022-0318BIT-golang-2022-23773
Advisory lineage Upstream: 0 Downstream: 15
Modified
Published: 11 Feb 2022, 00:16
Last modified:03 Aug 2024, 03:51
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.12% LOW
0% probability +0.06%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
11 Feb 2022, 00:16
Published
Vulnerability first disclosed
03 Aug 2024, 03:51
Last Modified
Vulnerability information updated
Description
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 0.12%• Percentile: 30%
Techniques & Countermeasures
- CWE-436•Interpretation Conflict
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Affected Systems
- golang•go
< 1.16.14 | ≥ 1.17.0, < 1.17.7
- Go•toolchain
≥ 1.17.0-0, < 1.17.7
- netapp•beegfs_csi_driver
na
- netapp•cloud_insights_telegraf_agent
na
- netapp•kubernetes_monitoring_operator
na
- netapp•storagegrid
na
References (7)
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://security.netapp.com/advisory/ntap-20220225-0006/
- https://security.gentoo.org/glsa/202208-02
- https://go.dev/cl/378400
- https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
- https://go.dev/issue/35671