CVE-2022-23773

HIGH

GO < 1.16.14 - Interpretation Conflict

Title source: rule

Description

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Exploits (3)

nomisec STUB 1 stars

by danbudris · poc

https://github.com/danbudris/CVE-2022-23773-repro

View Code ZIP pw:eip

nomisec WORKING POC

by YouShengLiu · poc

https://github.com/YouShengLiu/CVE-2022-23773-Reproduce

View Code ZIP pw:eip

nomisec STUB

by danbudris · poc

https://github.com/danbudris/CVE-2022-23773-repro-target

View Code ZIP pw:eip

References (4)

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Release Notes, Vendor Advisory] https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220225-0006/

[Third Party Advisory] https://security.gentoo.org/glsa/202208-02

Scores

CVSS v3 7.5

EPSS 0.0012

EPSS Percentile 30.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-436

Status published

Products (5)

golang/go < 1.16.14

netapp/beegfs_csi_driver

netapp/cloud_insights_telegraf_agent

netapp/kubernetes_monitoring_operator

netapp/storagegrid

Published Feb 11, 2022

Tracked Since Feb 18, 2026