CVE-2022-29804

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-29804
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://go.dev/cl/401595
https://go.dev/issue/52476
https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
https://pkg.go.dev/vuln/GO-2022-0533
https://go.dev/cl/401595
https://go.dev/issue/52476
https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
https://pkg.go.dev/vuln/GO-2022-0533
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

21 Nov 2024, 06:59

Type Values Removed Values Added
References () https://go.dev/cl/401595 - () https://go.dev/cl/401595 -
References () https://go.dev/issue/52476 - () https://go.dev/issue/52476 -
References () https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290 - () https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290 -
References () https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ - () https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ -
References () https://pkg.go.dev/vuln/GO-2022-0533 - () https://pkg.go.dev/vuln/GO-2022-0533 -

28 Feb 2023, 14:56

Type Values Removed Values Added
References
  • {'url': 'https://groups.google.com/g/golang-announce', 'name': 'https://groups.google.com/g/golang-announce', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg', 'name': 'https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg', 'tags': [], 'refsource': 'CONFIRM'}
  • (MISC) https://go.dev/issue/52476 - Patch, Vendor Advisory
  • (MISC) https://go.dev/cl/401595 - Patch, Vendor Advisory
  • (MISC) https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ - Mailing List, Release Notes
  • (MISC) https://pkg.go.dev/vuln/GO-2022-0533 - Patch, Vendor Advisory
  • (MISC) https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290 - Mailing List, Patch, Vendor Advisory
Summary In filepath.Clean in path/filepath in Go before 1.17.11 and 1.18.x before 1.18.3 on Windows, invalid paths such as .\c: could be converted to valid paths (such as c: in this example). Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

06 Sep 2022, 18:15

Type Values Removed Values Added
References
  • {'url': 'https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ', 'name': 'https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ', 'tags': ['Release Notes', 'Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://go.dev/issue/52476', 'name': 'https://go.dev/issue/52476', 'tags': ['Exploit', 'Issue Tracking', 'Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://pkg.go.dev/vuln/GO-2022-0533', 'name': 'https://pkg.go.dev/vuln/GO-2022-0533', 'tags': ['Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290', 'name': 'https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290', 'tags': ['Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://go.dev/cl/401595', 'name': 'https://go.dev/cl/401595', 'tags': ['Patch', 'Vendor Advisory'], 'refsource': 'MISC'}
  • (MISC) https://groups.google.com/g/golang-announce -
  • (CONFIRM) https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg -
Summary Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. In filepath.Clean in path/filepath in Go before 1.17.11 and 1.18.x before 1.18.3 on Windows, invalid paths such as .\c: could be converted to valid paths (such as c: in this example).

15 Aug 2022, 17:07

Type Values Removed Values Added
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
References (MISC) https://go.dev/issue/52476 - (MISC) https://go.dev/issue/52476 - Exploit, Issue Tracking, Patch, Vendor Advisory
References (MISC) https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290 - (MISC) https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290 - Patch, Vendor Advisory
References (MISC) https://pkg.go.dev/vuln/GO-2022-0533 - (MISC) https://pkg.go.dev/vuln/GO-2022-0533 - Patch, Vendor Advisory
References (MISC) https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ - (MISC) https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ - Release Notes, Vendor Advisory
References (MISC) https://go.dev/cl/401595 - (MISC) https://go.dev/cl/401595 - Patch, Vendor Advisory
CWE CWE-22
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

10 Aug 2022, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-08-10 20:15

Updated : 2024-11-21 06:59

NVD link : CVE-2022-29804

Mitre link : CVE-2022-29804

CVE.ORG link : CVE-2022-29804

JSON object : View

Products Affected

microsoft

  • windows

golang

  • go
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')