CVE-2022-32190

Aliases:GO-2022-0988BIT-golang-2022-32190

Advisory lineage Upstream: 0 Downstream: 8

Downstream

DEBIAN-CVE-2022-32190 MGASA-2022-0356 OPENSUSE-SU-2024:12310-1 RHBA-2023:0568 RHSA-2022:7398 RHSA-2023:3204

Modified

Published: 13 Sept 2022, 17:08

Last modified:03 Aug 2024, 07:32

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.08% LOW

0% probability -0.09%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Sept 2022, 17:08

Published

Vulnerability first disclosed

03 Aug 2024, 07:32

Last Modified

Vulnerability information updated

Description

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.08%• Percentile: 25%

Techniques & Countermeasures

CWE-22•Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

go standard library•net/url
≥ 1.19.0-0, < 1.19.1
golang•go
1.19.0 | 1.19.0:beta1 | 1.19.0:rc1 | 1.19.0:rc2
Go•stdlib
≥ 1.19.0-0, < 1.19.1