CVE-2022-23773
Incorrect access control in the go command in cmd/go/internal/modfetch
7.5
HIGH
CVSS 3.1
EPSS 0.12%
Description
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
How to fix CVE-2022-23773
To remediate CVE-2022-23773, upgrade the affected package to a fixed version below.
- —upgrade to 1.16.14 or later
- —upgrade to 1.15.15-1~deb11u3 or later
- —upgrade to 1.16.14 or later
Is CVE-2022-23773 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.16.14, >= 1.17.0, < 1.17.7
- from 0, < 1.15.15-1~deb11u3
- from 0, < 1.16.14, >= 1.17.0-0, < 1.17.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |