Vulnerability Report: GO-2022-0318

standard library

CVE-2022-23773
Affects: cmd/go/internal/modfetch
Published: Aug 01, 2022
Modified: May 20, 2024

Incorrect access control is possible in the go command. The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.

Affected Packages

Path

Versions

Symbols
cmd/go/internal/modfetch

before go1.16.14, from go1.17.0-0 before go1.17.7
2 unexported affected symbols
- codeRepo.convert
- codeRepo.validatePseudoVersion

Aliases

CVE-2022-23773

References

https://go.dev/cl/378400
https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
https://go.dev/issue/35671
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
https://vuln.go.dev/ID/GO-2022-0318.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL