GO-2022-0318

Source
https://storage.googleapis.com/go-vulndb/ID/GO-2022-0318.json
Aliases
Published
2022-08-01T22:20:42Z
Modified
2022-08-19T22:21:47Z
Details

Incorrect access control is possible in the go command.

The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.

References

Affected packages

Go / stdlib

stdlib

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
1.16.14
Introduced
1.17.0
Fixed
1.17.7

Affected versions

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go/internal/modfetch",
            "symbols": [
                "codeRepo.convert",
                "codeRepo.validatePseudoVersion"
            ]
        }
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2022-0318"
}