CVE-2022-41722

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GoCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
VendorProductVersion
golanggo
𝑥
< 1.19.6
golanggo
1.20.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-1.15
bullseye
unimportant
golang-1.19
bookworm
1.19.8-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-1.19
noble
dne
mantic
dne
lunar
not-affected
kinetic
ignored
jammy
dne
focal
dne
bionic
dne
xenial
ignored
trusty
ignored
golang-1.20
noble
dne
mantic
not-affected
lunar
not-affected
kinetic
dne
jammy
not-affected
focal
not-affected
bionic
dne
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://go.dev/cl/468123
https://go.dev/issue/57274
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://pkg.go.dev/vuln/GO-2023-1568
https://go.dev/cl/468123
https://go.dev/issue/57274
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://pkg.go.dev/vuln/GO-2023-1568