data/reports/GO-2023-1568.yaml - vulndb - Git at Google

 id: GO-2023-1568
 modules:
     - module: std
       versions:
         - fixed: 1.19.6
         - introduced: 1.20.0-0
           fixed: 1.20.1
       vulnerable_at: 1.20.0
       packages:
         - package: path/filepath
           goos:
             - windows
           symbols:
             - Clean
           derived_symbols:
             - Abs
             - Dir
             - EvalSymlinks
             - Glob
             - IsLocal
             - Join
             - Rel
             - Walk
             - WalkDir
 summary: Path traversal on Windows in path/filepath
 description: |-
     A path traversal vulnerability exists in filepath.Clean on Windows.

     On Windows, the filepath.Clean function could transform an invalid path such as
     "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if
     invalid) path into an absolute path could enable a directory traversal attack.

     After fix, the filepath.Clean function transforms this path into the relative
     (but still invalid) path ".\c:\b".
 credits:
     - RyotaK (https://ryotak.net)
 references:
     - report: https://go.dev/issue/57274
     - fix: https://go.dev/cl/468123
     - web: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
 cve_metadata:
     id: CVE-2022-41722
     cwe: |
         CWE-22: Improper Limitation of a Pathname to a Restricted
         Directory ("Path Traversal")
	id: GO-2023-1568
	modules:
	- module: std
	versions:
	- fixed: 1.19.6
	- introduced: 1.20.0-0
	fixed: 1.20.1
	vulnerable_at: 1.20.0
	packages:
	- package: path/filepath
	goos:
	- windows
	symbols:
	- Clean
	derived_symbols:
	- Abs
	- Dir
	- EvalSymlinks
	- Glob
	- IsLocal
	- Join
	- Rel
	- Walk
	- WalkDir
	summary: Path traversal on Windows in path/filepath
	description: \|-
	A path traversal vulnerability exists in filepath.Clean on Windows.

	On Windows, the filepath.Clean function could transform an invalid path such as
	"a/../c:/b" into the valid path "c:\b". This transformation of a relative (if
	invalid) path into an absolute path could enable a directory traversal attack.

	After fix, the filepath.Clean function transforms this path into the relative
	(but still invalid) path ".\c:\b".
	credits:
	- RyotaK (https://ryotak.net)
	references:
	- report: https://go.dev/issue/57274
	- fix: https://go.dev/cl/468123
	- web: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
	cve_metadata:
	id: CVE-2022-41722
	cwe: \|
	CWE-22: Improper Limitation of a Pathname to a Restricted
	Directory ("Path Traversal")