PT-2022-16259 · Google+6 · Go+6

Published

2022-02-11

Updated

2025-09-29

CVE-2022-23773

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.16.14 Go versions 1.17.x prior to 1.17.7

Description The issue concerns incorrect access control. It occurs when the cmd/go in Go misinterprets branch names that falsely appear to be version tags. This misinterpretation can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Recommendations For Go versions prior to 1.16.14, update to version 1.16.14 or later. For Go versions 1.17.x prior to 1.17.7, update to version 1.17.7 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-436

Related Identifiers

ALSA-2022:1819

ALSA-2022_1819

ALSA-2025_16880

ALT-PU-2022-1265

ALT-PU-2022-1283

ALT-PU-2022-1435

ALT-PU-2022-2873

AZL-8513

BIT-GOLANG-2022-23773

CESA-2022_1819

CVE-2022-23773

GO-2022-0318

MGASA-2022-0091

OESA-2022-1606

OPENSUSE-SU-2022:0723-1

OPENSUSE-SU-2022:0724-1

OPENSUSE-SU-2022_0723-1

OPENSUSE-SU-2022_0724-1

OPENSUSE-SU-2024:11843-1

OPENSUSE-SU-2024:11844-1

RHSA-2022:1819

RHSA-2022:4860

RHSA-2022:5004

RHSA-2022:5068

RHSA-2022:5729

RHSA-2022:6094

RHSA-2022_1819

RLSA-2022:1819

SUSE-SU-2022:0723-1

SUSE-SU-2022:0724-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Suse

PT-2022-16259 · Google+6 · Go+6

CVE-2022-23773

Weakness Enumeration

Related Identifiers

Affected Products

References · 64