Bug 2053541 (CVE-2022-23773) - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
Summary: CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-23773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2053543 2054846 2073717 2073718 2053542 2053544 2054242 2054245 2054842 2054844 2054845 2056095 2056098 2056102 2067531 2068662 2068663 2068664 2068670 2068671 2068673 2068803 2068827 2068828 2068829 2068836 2080392 2080393 2080394 2080395 2080396 2080397 2080398 2080399 2080400 2080401 2080402 2080403 2080404 2168805
Blocks: 2053545
TreeView+ depends on / blocked
 
Reported: 2022-02-11 13:39 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-03-18 18:55 UTC (History)
121 users (show)

Fixed In Version: go 1.17.7, go 1.16.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the go package of the cmd library in golang. The go command could be tricked into accepting a branch, which resembles a version tag. This issue could allow a remote unauthenticated attacker to bypass security restrictions and introduce invalid or incorrect tags, reducing the integrity of the environment.
Clone Of:
Environment:
Last Closed: 2022-05-11 16:46:01 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1819 0 None None None 2022-05-10 13:39:12 UTC
Red Hat Product Errata RHSA-2022:4860 0 None None None 2022-06-01 11:46:25 UTC
Red Hat Product Errata RHSA-2022:4863 0 None None None 2022-06-01 13:59:38 UTC
Red Hat Product Errata RHSA-2022:5004 0 None None None 2022-06-13 12:33:38 UTC
Red Hat Product Errata RHSA-2022:5068 0 None None None 2022-08-10 10:08:56 UTC
Red Hat Product Errata RHSA-2022:5875 0 None None None 2022-08-09 02:35:48 UTC
Red Hat Product Errata RHSA-2022:6094 0 None None None 2022-08-23 18:11:59 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:47:05 UTC
Red Hat Product Errata RHSA-2022:6526 0 None None None 2022-09-14 19:27:51 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:34:40 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:42:48 UTC

Description Guilherme de Almeida Suckevicz 2022-02-11 13:39:20 UTC 
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Reference:
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
Comment 1 Guilherme de Almeida Suckevicz 2022-02-11 13:40:43 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2053542]
Affects: fedora-all [bug 2053544]
Affects: openstack-rdo [bug 2053543]
Comment 14 errata-xmlrpc 2022-05-10 13:39:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819
Comment 15 Product Security DevOps Team 2022-05-11 16:45:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23773
Comment 16 errata-xmlrpc 2022-06-01 11:46:18 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:4860 https://access.redhat.com/errata/RHSA-2022:4860
Comment 17 errata-xmlrpc 2022-06-01 13:59:32 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.22

Via RHSA-2022:4863 https://access.redhat.com/errata/RHSA-2022:4863
Comment 18 errata-xmlrpc 2022-06-13 12:33:32 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5004 https://access.redhat.com/errata/RHSA-2022:5004
Comment 19 errata-xmlrpc 2022-08-09 02:35:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5875 https://access.redhat.com/errata/RHSA-2022:5875
Comment 20 errata-xmlrpc 2022-08-10 10:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5068 https://access.redhat.com/errata/RHSA-2022:5068
Comment 23 errata-xmlrpc 2022-08-23 18:11:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6094 https://access.redhat.com/errata/RHSA-2022:6094
Comment 24 errata-xmlrpc 2022-08-24 13:47:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
Comment 25 errata-xmlrpc 2022-09-14 19:27:45 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526
Comment 26 errata-xmlrpc 2023-01-24 13:34:34 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 27 errata-xmlrpc 2023-03-30 00:42:42 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Note You need to log in before you can comment on or make changes to this bug.