Vulnerability Report: GO-2022-0318
- CVE-2022-23773
- Affects: cmd/go/internal/modfetch
- Published: Aug 01, 2022
- Modified: Jun 12, 2023
Incorrect access control is possible in the go command. The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.
Affected Packages
-
PathVersionsSymbols
-
before go1.16.14, from go1.17.0-0 before go1.17.7all symbols
Aliases
References
- https://go.dev/cl/378400
- https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
- https://go.dev/issue/35671
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://vuln.go.dev/ID/GO-2022-0318.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.