PT-2022-6711 · Go+7 · Go+7
256Dpi
+1
·
Published
2022-05-11
·
Updated
2026-05-18
·
CVE-2022-29526
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Go versions 1.17.0 through 1.17.9
Go versions 1.18.0 through 1.18.1
Description
The issue is related to incorrect privilege assignment in the Faccessat function of the Go programming language. This can allow an attacker to bypass existing security restrictions. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. The problem arises because the function checks a file's group permission bits if the process's user is a member of the process's group rather than a member of the file's group.
Recommendations
For Go versions 1.17.0 through 1.17.9, update to version 1.17.10 or later to resolve the issue.
For Go versions 1.18.0 through 1.18.1, update to version 1.18.2 or later to resolve the issue.
As a temporary workaround, consider avoiding the use of non-zero flags parameters with the Faccessat function until a patch is applied.
Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Centos
Debian
Go
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu