{"api_version":"1","generated_at":"2026-04-22T23:31:34+00:00","cve":"CVE-2022-23773","urls":{"html":"https://cve.report/CVE-2022-23773","api":"https://cve.report/api/cve/CVE-2022-23773.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23773","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23773"},"summary":{"title":"CVE-2022-23773","description":"cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-02-11 01:15:00","updated_at":"2023-08-08 14:22:00"},"problem_types":["CWE-436"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20220225-0006/","name":"https://security.netapp.com/advisory/ntap-20220225-0006/","refsource":"CONFIRM","tags":[],"title":"February 2022 Golang Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ","name":"https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ","refsource":"MISC","tags":[],"title":"[security] Go 1.17.7 and Go 1.16.14 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202208-02","name":"GLSA-202208-02","refsource":"GENTOO","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23773","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23773","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"23773","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23773","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"beegfs_csi_driver","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23773","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"cloud_insights_telegraf_agent","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23773","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"kubernetes_monitoring_operator","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23773","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"storagegrid","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23773","qid":"159810","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2022-1819)"},{"cve":"CVE-2022-23773","qid":"159886","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8addon (ELSA-2022-14857)"},{"cve":"CVE-2022-23773","qid":"179214","title":"Debian Security Update for golang-1.15 (CVE-2022-23773)"},{"cve":"CVE-2022-23773","qid":"240276","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2022:1819)"},{"cve":"CVE-2022-23773","qid":"240607","title":"Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2022:5068)"},{"cve":"CVE-2022-23773","qid":"240616","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2022:6094)"},{"cve":"CVE-2022-23773","qid":"353977","title":"Amazon Linux Security Advisory for golang : ALAS2-2022-1811"},{"cve":"CVE-2022-23773","qid":"354041","title":"Amazon Linux Security Advisory for golang : ALAS2-2022-1830"},{"cve":"CVE-2022-23773","qid":"354745","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1685"},{"cve":"CVE-2022-23773","qid":"355216","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-175"},{"cve":"CVE-2022-23773","qid":"356304","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-002"},{"cve":"CVE-2022-23773","qid":"376494","title":"Go Language Multiple Vulnerabilities"},{"cve":"CVE-2022-23773","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2022-23773","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2022-23773","qid":"501856","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2022-23773","qid":"502093","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2022-23773","qid":"502298","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2022-23773","qid":"671754","title":"EulerOS Security Update for golang (EulerOS-SA-2022-1805)"},{"cve":"CVE-2022-23773","qid":"671755","title":"EulerOS Security Update for golang (EulerOS-SA-2022-1788)"},{"cve":"CVE-2022-23773","qid":"671783","title":"EulerOS Security Update for golang (EulerOS-SA-2022-1841)"},{"cve":"CVE-2022-23773","qid":"671789","title":"EulerOS Security Update for golang (EulerOS-SA-2022-1865)"},{"cve":"CVE-2022-23773","qid":"671844","title":"EulerOS Security Update for golang (EulerOS-SA-2022-1890)"},{"cve":"CVE-2022-23773","qid":"690794","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (096ab080-907c-11ec-bb14-002324b2fba8)"},{"cve":"CVE-2022-23773","qid":"710584","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202208-02)"},{"cve":"CVE-2022-23773","qid":"751793","title":"SUSE Enterprise Linux Security Update for go1.16 (SUSE-SU-2022:0724-1)"},{"cve":"CVE-2022-23773","qid":"751800","title":"SUSE Enterprise Linux Security Update for go1.17 (SUSE-SU-2022:0723-1)"},{"cve":"CVE-2022-23773","qid":"751818","title":"OpenSUSE Security Update for go1.16 (openSUSE-SU-2022:0724-1)"},{"cve":"CVE-2022-23773","qid":"751819","title":"OpenSUSE Security Update for go1.17 (openSUSE-SU-2022:0723-1)"},{"cve":"CVE-2022-23773","qid":"770161","title":"Red Hat OpenShift Container Platform 4.1 Security Update (RHSA-2022:5068)"},{"cve":"CVE-2022-23773","qid":"770162","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2022:6094)"},{"cve":"CVE-2022-23773","qid":"900688","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (8511)"},{"cve":"CVE-2022-23773","qid":"901029","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (8513-1)"},{"cve":"CVE-2022-23773","qid":"907777","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (8511-1)"},{"cve":"CVE-2022-23773","qid":"907794","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (8513-2)"},{"cve":"CVE-2022-23773","qid":"940527","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2022:1819)"},{"cve":"CVE-2022-23773","qid":"960394","title":"Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2022:1819)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-23773","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ","url":"https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220225-0006/","url":"https://security.netapp.com/advisory/ntap-20220225-0006/"},{"refsource":"GENTOO","name":"GLSA-202208-02","url":"https://security.gentoo.org/glsa/202208-02"}]}},"nvd":{"publishedDate":"2022-02-11 01:15:00","lastModifiedDate":"2023-08-08 14:22:00","problem_types":["CWE-436"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.17.0","versionEndExcluding":"1.17.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.16.14","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:kubernetes_monitoring_operator:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:beegfs_csi_driver:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23773","Ordinal":"226635","Title":"CVE-2022-23773","CVE":"CVE-2022-23773","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23773","Ordinal":"1","NoteData":"cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"23773","Ordinal":"2","NoteData":"2022-02-10","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"23773","Ordinal":"3","NoteData":"2022-02-10","Type":"Other","Title":"Modified"}]}}}