Bug 2053541 (CVE-2022-23773) - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control
Summary: CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-23773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2053543 2054844 2054845 2054846 2056095 2056098 2056102 2067531 2068803 2068827 2068828 2068829 2068836 2073717 2073718 2080392 2080393 2080394 2080397 2080398 2080399 2080400 2080401 2080402 2080403 2080404 2053542 2053544 2054242 2054245 2054842 2068662 2068663 2068664 2068670 2068671 2068673 2080395 2080396
Blocks: 2053545
TreeView+ depends on / blocked
 
Reported: 2022-02-11 13:39 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-06-15 20:15 UTC (History)
120 users (show)

Fixed In Version: go 1.17.7, go 1.16.14
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-11 16:46:01 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1819 0 None None None 2022-05-10 13:39:12 UTC
Red Hat Product Errata RHSA-2022:4860 0 None None None 2022-06-01 11:46:25 UTC
Red Hat Product Errata RHSA-2022:4863 0 None None None 2022-06-01 13:59:38 UTC
Red Hat Product Errata RHSA-2022:5004 0 None None None 2022-06-13 12:33:38 UTC

Description Guilherme de Almeida Suckevicz 2022-02-11 13:39:20 UTC
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.

Reference:
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

Comment 1 Guilherme de Almeida Suckevicz 2022-02-11 13:40:43 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2053542]
Affects: fedora-all [bug 2053544]
Affects: openstack-rdo [bug 2053543]

Comment 14 errata-xmlrpc 2022-05-10 13:39:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1819 https://access.redhat.com/errata/RHSA-2022:1819

Comment 15 Product Security DevOps Team 2022-05-11 16:45:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23773

Comment 16 errata-xmlrpc 2022-06-01 11:46:18 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:4860 https://access.redhat.com/errata/RHSA-2022:4860

Comment 17 errata-xmlrpc 2022-06-01 13:59:32 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.22

Via RHSA-2022:4863 https://access.redhat.com/errata/RHSA-2022:4863

Comment 18 errata-xmlrpc 2022-06-13 12:33:32 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5004 https://access.redhat.com/errata/RHSA-2022:5004


Note You need to log in before you can comment on or make changes to this bug.