Fluid Attacks Database

Description

Incorrect access control in the go command in cmd/go/internal/modfetch Incorrect access control is possible in the go command.

The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	toolchain	>=0 <1.16.14	1.16.14
debian 11	golang-1.15	=1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.9-6 \|\| >=0 <1.15.15-1~deb11u3	1.15.15-1~deb11u3
rpm rhel7	golang	-	-
rpm rhel8	go-toolset	<0:1.17.7-1.module+el8.6.0+14297+32a15e19	0:1.17.7-1.module+el8.6.0+14297+32a15e19

Aliases

1. CVE-2022-237732. NVD-2022-237733. OSV-GO-2022-03184. OSV-2022-237735. OSV-DEBIAN-2022-237736. GCVE-2022-237737. SECURITY-TRACKER-CVE-2022-23773

References

1. https://go.dev/cl/3784002. https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb3. https://go.dev/issue/356714. https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ5. https://github.com/danbudris/CVE-2022-23773-repro

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.