x/vulndb: add reports/GO-2022-0318.yaml for CVE-2022-23773

tatianab · Tatiana Bradley · commit 5a605e28566c · 2022-08-01T22:20:42.000Z
Fixes #318 Change-Id: I5f1543ae4aca58bd973b9f1307ef011c03f7959c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/420655 Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/reports/GO-2022-0318.yaml b/reports/GO-2022-0318.yaml
@@ -0,0 +1,25 @@
+packages:
+  - module: std
+    package: cmd/go/internal/modfetch
+    symbols:
+      - codeRepo.convert
+      - codeRepo.validatePseudoVersion
+    versions:
+      - fixed: 1.16.14
+      - introduced: 1.17.0
+        fixed: 1.17.7
+    vulnerable_at: 1.17.6
+description: |
+    Incorrect access control is possible in the go command.
+
+    The go command can misinterpret branch names that falsely appear to be
+    version tags. This can lead to incorrect access control if an actor is
+    authorized to create branches but not tags.
+cves:
+  - CVE-2022-23773
+links:
+    pr: https://go.dev/cl/378400
+    commit: https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb
+    context:
+      - https://go.dev/issue/35671
+      - https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
