#VU62037 Incorrect authorization


Published: 2022-09-18

Vulnerability identifier: #VU62037

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-23773

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to  a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.17 - 1.17.6, 1.16 - 1.16.13


CPE

External links
http://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
http://security.netapp.com/advisory/ntap-20220225-0006/


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability