blob: ea874623bcbfb90b4805db55f5a7da01de99445b [file] [log] [blame]
id: GO-2022-0318
modules:
- module: cmd
versions:
- fixed: 1.16.14
- introduced: 1.17.0-0
- fixed: 1.17.7
vulnerable_at: 1.17.6
packages:
- package: cmd/go/internal/modfetch
symbols:
- codeRepo.convert
- codeRepo.validatePseudoVersion
skip_fix: 'TODO: revisit this reason (cant request explicit version v1.17.6 of standard library package cmd/go/internal/modfetch)'
summary: Incorrect access control in the go command in cmd/go/internal/modfetch
description: |-
Incorrect access control is possible in the go command.
The go command can misinterpret branch names that falsely appear to be version
tags. This can lead to incorrect access control if an actor is authorized to
create branches but not tags.
published: 2022-08-01T22:20:42Z
cves:
- CVE-2022-23773
references:
- fix: https://go.dev/cl/378400
- fix: https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
- report: https://go.dev/issue/35671
- web: https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
review_status: REVIEWED