Access Control Vulnerability in Go Language Products by Google
CVE-2022-23773

7.5HIGH

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 11 February 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-23773?

In certain versions of the Go programming language, an access control misconfiguration arises from the misinterpretation of branch names as version tags. This vulnerability permits actors who should only have permissions to create branches to bypass restrictions and potentially create tags, leading to unauthorized actions within the source control ecosystem.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-23773-repro
Created by danbudris

CVE-2022-23773-repro-target
Created by danbudris

CVE-2022-23773-Reproduce
Created by YouShengLiu

References

https://www.oracle.com/security-alerts/cpujul2022.html

x_refsource_MISC

https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220225-0006/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 19, 2023
👾
Exploit known to exist
Mar 19, 2023
Vulnerability published
Feb 11, 2022
Vulnerability Reserved
Jan 20, 2022

Golang

Badges

What is CVE-2022-23773?

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline