CVE-2022-29804 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Go	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Vendor	Product	Version
golang	go	𝑥 < 1.17.11
golang	go	1.18.0 ≤ 𝑥 < 1.18.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-1.15

bullseye

1.15.15-1~deb11u4

fixed

Ubuntu Releases

Ubuntu Product

Codename

golang-1.15

impish

ignored

golang-1.17

lunar	dne
kinetic	dne
jammy	not-affected
impish	not-affected

golang-1.18

lunar	dne
kinetic	dne
jammy	not-affected
focal	not-affected
bionic	not-affected

golang-1.8

bionic

not-affected

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://go.dev/cl/401595

https://go.dev/issue/52476

https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

https://pkg.go.dev/vuln/GO-2022-0533

https://go.dev/cl/401595

https://go.dev/issue/52476

https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

https://pkg.go.dev/vuln/GO-2022-0533