#VU62037 Incorrect authorization in Go programming language


Vulnerability identifier: #VU62037

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-23773

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists within cmd/go, which can misinterpret branch names that falsely appear to be version tags. This can lead to  a situation where an attacker can bypass implemented security restrictions and perform restricted actions, e.g. create tags when access was granted to create branches only.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.16 - 1.17.6


External links
http://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
http://security.netapp.com/advisory/ntap-20220225-0006/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability