CVE-2022-29804

Aliases:GO-2022-0533BIT-golang-2022-29804

Advisory lineage Upstream: 0 Downstream: 5

Downstream

OPENSUSE-SU-2024:12123-1 OPENSUSE-SU-2024:12124-1 SUSE-SU-2022:2004-1 SUSE-SU-2022:2005-1 SUSE-SU-2023:2312-1

Modified

Published: 09 Aug 2022, 00:00

Last modified:03 Aug 2024, 06:33

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.05% LOW

0% probability -0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

09 Aug 2022, 00:00

Published

Vulnerability first disclosed

03 Aug 2024, 06:33

Last Modified

Vulnerability information updated

Description

Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.05%• Percentile: 15%

Techniques & Countermeasures

CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

go standard library•path/filepath
< 1.17.11 | ≥ 1.18.0-0, < 1.18.3
golang•go
< 1.17.11 | ≥ 1.18.0, < 1.18.3
Go•stdlib
≥ 1.18.0-0, < 1.18.3