CVE-2022-23773

Опубликовано: 11 фев. 2022

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.

Затронутые пакеты

Платформа	Пакет	Состояние
Migration Toolkit for Containers	cpma	Affected
Migration Toolkit for Containers	rhmtc/openshift-migration-velero-rhel8	Affected
OpenShift Serverless	CLI	Affected
OpenShift Serverless	knative-eventing	Affected
OpenShift Service Mesh 2.0	servicemesh	Affected
OpenShift Service Mesh 2.0	servicemesh-grafana	Affected
OpenShift Service Mesh 2.1	servicemesh-grafana	Will not fix
Red Hat Ceph Storage 2	golang	Out of support scope
Red Hat Ceph Storage 2	grafana	Out of support scope
Red Hat Ceph Storage 3	golang	Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-863->CWE-1220

https://bugzilla.redhat.com/show_bug.cgi?id=2053541golang: cmd/go: misinterpretation of branch names can lead to incorrect access control

EPSS

Процентиль: 20%

0.00062

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2022-23773

CVSS3: 7.5

ubuntu

больше 3 лет назад

CVE-2022-23773

CVSS3: 7.5

nvd

больше 3 лет назад

CVE-2022-23773

CVSS3: 7.5

msrc

больше 3 лет назад

Описание отсутствует

CVE-2022-23773

CVSS3: 7.5

debian

больше 3 лет назад

cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret ...

GHSA-52j8-p7r3-733m

CVSS3: 7.5

github

больше 3 лет назад

EPSS

Процентиль: 20%

0.00062

Низкий

7.5 High

CVSS3