CVE-2022-23773

HIGH

GO < 1.16.14 - Interpretation Conflict

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-23773. PoCs published by danbudris, YouShengLiu.

AI-analyzed exploit summary The repository contains only a README.md file with minimal content, lacking any exploit code or technical details for CVE-2022-23773.

Description

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Exploits (3)

nomisec STUB 1 stars
by danbudris · poc
https://github.com/danbudris/CVE-2022-23773-repro

The repository contains only a README.md file with minimal content, lacking any exploit code or technical details for CVE-2022-23773.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by YouShengLiu · poc
https://github.com/YouShengLiu/CVE-2022-23773-Reproduce

This repository demonstrates CVE-2022-23773, a vulnerability in Go's module system where malicious branches could be mistakenly treated as valid versions. The PoC shows how Go versions before 1.19.3 incorrectly handle branch names like 'v0.3.0' as valid module versions.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Go module system (versions before 1.19.3)
No auth needed
Prerequisites: Go environment (versions 1.11.1 and 1.19.3 for comparison)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by danbudris · poc
https://github.com/danbudris/CVE-2022-23773-repro-target

The repository contains a minimal Go code snippet and a README, but lacks any exploit logic or vulnerability demonstration for CVE-2022-23773. It appears to be a placeholder or incomplete proof-of-concept.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Release Notes, Vendor Advisory x_refsource_misc
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220225-0006/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202208-02

Scores

CVSS v3 7.5
EPSS 0.0268
EPSS Percentile 83.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-436
Status published
Products (5)
golang/go < 1.16.14
netapp/beegfs_csi_driver
netapp/cloud_insights_telegraf_agent
netapp/kubernetes_monitoring_operator
netapp/storagegrid
Published Feb 11, 2022
Tracked Since Feb 18, 2026