#VU62037 Incorrect authorization in Go programming language

Published: 2022-09-18

Vulnerability identifier: #VU62037

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-23773


Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to  a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.

Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.17 - 1.17.6, 1.16 - 1.16.13

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability