| { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-0318", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "2022-08-01T22:20:42Z", |
| "aliases": [ |
| "CVE-2022-23773" |
| ], |
| "summary": "Incorrect access control in the go command in cmd/go/internal/modfetch", |
| "details": "Incorrect access control is possible in the go command.\n\nThe go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.", |
| "affected": [ |
| { |
| "package": { |
| "name": "toolchain", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.16.14" |
| }, |
| { |
| "introduced": "1.17.0-0" |
| }, |
| { |
| "fixed": "1.17.7" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "cmd/go/internal/modfetch", |
| "symbols": [ |
| "codeRepo.convert", |
| "codeRepo.validatePseudoVersion" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/378400" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb" |
| }, |
| { |
| "type": "REPORT", |
| "url": "https://go.dev/issue/35671" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0318" |
| } |
| } |