#VU62037 Incorrect authorization in Go programming language


Published: 2022-09-18

Vulnerability identifier: #VU62037

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-23773

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to  a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.17 - 1.17.6, 1.16 - 1.16.13

CPE

External links
http://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
http://security.netapp.com/advisory/ntap-20220225-0006/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Splunk Enterprise update for third-party packages
Multiple vulnerabilities in Dell PowerProtect Cyber Recovery
Incorrect authorization in IBM Cloud Pak for Data Version
Multiple vulnerabilities in Service Telemetry Framework
Amazon Linux AMI update for golang
Multiple vulnerabilities in OpenShift Virtualization 4.12
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for Golang Go
Multiple vulnerabilities in IBM Cloud Pak System
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Cloud Transformation Advisor