Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23773

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Published

2022-02-11T01:15:07.707

Last Modified

2024-11-21T06:49:15.303

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-436

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.16.14	Yes
Application	golang	go	< 1.17.7	Yes
Application	netapp	beegfs_csi_driver	-	Yes
Application	netapp	cloud_insights_telegraf_agent	-	Yes
Application	netapp	kubernetes_monitoring_operator	-	Yes
Application	netapp	storagegrid	-	Yes

References

https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ Release Notes, Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202208-02 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220225-0006/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory ([email protected])
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-02 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220225-0006/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)