GO-2022-0318

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0318

Import Source

https://vuln.go.dev/ID/GO-2022-0318.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0318

Aliases

Published

2022-08-01T22:20:42Z

Modified

2024-05-20T16:03:47Z

Summary

Incorrect access control in the go command in cmd/go/internal/modfetch

Details

Incorrect access control is possible in the go command.

The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.

References

Affected packages

Go / toolchain

Package

Name: toolchain; View open source insights on deps.dev
Purl: pkg:golang/toolchain

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.14

Introduced

1.17.0-0

Fixed

1.17.7

Ecosystem specific

{
    "imports": [
        {
            "path": "cmd/go/internal/modfetch",
            "symbols": [
                "codeRepo.convert",
                "codeRepo.validatePseudoVersion"
            ]
        }
    ]
}