cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
References
Link | Resource |
---|---|
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ | Release Notes Vendor Advisory |
https://security.gentoo.org/glsa/202208-02 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20220225-0006/ | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujul2022.html | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
History
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-436 |
Information
Published : 2022-02-11 01:15
Updated : 2024-02-28 19:09
NVD link : CVE-2022-23773
Mitre link : CVE-2022-23773
CVE.ORG link : CVE-2022-23773
JSON object : View
Products Affected
netapp
- storagegrid
- beegfs_csi_driver
- cloud_insights_telegraf_agent
- kubernetes_monitoring_operator
golang
- go
CWE
CWE-436
Interpretation Conflict