reports/GO-2022-0527.yaml - vulndb - Git at Google

 packages:
   - module: std
     package: io/fs
     symbols:
       - Glob
     versions:
       - fixed: 1.17.12
       - introduced: 1.18.0
         fixed: 1.18.4
     vulnerable_at: 1.18.3
 description: |
     Calling Glob on a path which contains a large number of path separators can
     cause a panic due to stack exhaustion.
 links:
     pr: https://go.dev/cl/417065
     commit: https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59
     context:
       - https://go.dev/issue/53415
       - https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
 cve_metadata:
     id: CVE-2022-30630
     cwe: 'CWE-674: Uncontrolled Recursion'
     description: |
         Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4
         allows an attacker to cause a panic due to stack exhaustion via a path
         which contains a large number of path separators.
	packages:
	- module: std
	package: io/fs
	symbols:
	- Glob
	versions:
	- fixed: 1.17.12
	- introduced: 1.18.0
	fixed: 1.18.4
	vulnerable_at: 1.18.3
	description: \|
	Calling Glob on a path which contains a large number of path separators can
	cause a panic due to stack exhaustion.
	links:
	pr: https://go.dev/cl/417065
	commit: https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59
	context:
	- https://go.dev/issue/53415
	- https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
	cve_metadata:
	id: CVE-2022-30630
	cwe: 'CWE-674: Uncontrolled Recursion'
	description: \|
	Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4
	allows an attacker to cause a panic due to stack exhaustion via a path
	which contains a large number of path separators.