Vulnerability Description
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.16.14 |
| Netapp | Beegfs Csi Driver | - |
| Netapp | Cloud Insights Telegraf Agent | - |
| Netapp | Kubernetes Monitoring Operator | - |
| Netapp | Storagegrid | - |
Related Weaknesses (CWE)
References
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQRelease NotesVendor Advisory
- https://security.gentoo.org/glsa/202208-02Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220225-0006/Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQRelease NotesVendor Advisory
- https://security.gentoo.org/glsa/202208-02Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220225-0006/Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
FAQ
What is CVE-2022-23773?
CVE-2022-23773 is a vulnerability with a CVSS score of 7.5 (HIGH). cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able ...
How severe is CVE-2022-23773?
CVE-2022-23773 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23773?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Netapp Beegfs Csi Driver, Netapp Cloud Insights Telegraf Agent, Netapp Kubernetes Monitoring Operator, Netapp Storagegrid.