data/reports/GO-2022-0318.yaml - vulndb - Git at Google

 modules:
   - module: cmd
     versions:
       - fixed: 1.16.14
       - introduced: 1.17.0
         fixed: 1.17.7
     vulnerable_at: 1.17.6
     packages:
       - package: cmd/go/internal/modfetch
         symbols:
           - codeRepo.convert
           - codeRepo.validatePseudoVersion
 description: |
     Incorrect access control is possible in the go command.

     The go command can misinterpret branch names that falsely appear to be
     version tags. This can lead to incorrect access control if an actor is
     authorized to create branches but not tags.
 published: 2022-08-01T22:20:42Z
 cves:
   - CVE-2022-23773
 references:
   - fix: https://go.dev/cl/378400
   - fix: https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
   - report: https://go.dev/issue/35671
   - web: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
	modules:
	- module: cmd
	versions:
	- fixed: 1.16.14
	- introduced: 1.17.0
	fixed: 1.17.7
	vulnerable_at: 1.17.6
	packages:
	- package: cmd/go/internal/modfetch
	symbols:
	- codeRepo.convert
	- codeRepo.validatePseudoVersion
	description: \|
	Incorrect access control is possible in the go command.

	The go command can misinterpret branch names that falsely appear to be
	version tags. This can lead to incorrect access control if an actor is
	authorized to create branches but not tags.
	published: 2022-08-01T22:20:42Z
	cves:
	- CVE-2022-23773
	references:
	- fix: https://go.dev/cl/378400
	- fix: https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
	- report: https://go.dev/issue/35671
	- web: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ