data/reports/GO-2022-0527.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - fixed: 1.17.12
       - introduced: 1.18.0
         fixed: 1.18.4
     vulnerable_at: 1.18.3
     packages:
       - package: io/fs
         symbols:
           - Glob
 description: |
     Calling Glob on a path which contains a large number of path separators can
     cause a panic due to stack exhaustion.
 published: 2022-07-20T20:52:22Z
 references:
   - fix: https://go.dev/cl/417065
   - fix: https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59
   - report: https://go.dev/issue/53415
   - web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
 cve_metadata:
     id: CVE-2022-30630
     cwe: 'CWE-674: Uncontrolled Recursion'
     description: |
         Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4
         allows an attacker to cause a panic due to stack exhaustion via a path
         which contains a large number of path separators.
	modules:
	- module: std
	versions:
	- fixed: 1.17.12
	- introduced: 1.18.0
	fixed: 1.18.4
	vulnerable_at: 1.18.3
	packages:
	- package: io/fs
	symbols:
	- Glob
	description: \|
	Calling Glob on a path which contains a large number of path separators can
	cause a panic due to stack exhaustion.
	published: 2022-07-20T20:52:22Z
	references:
	- fix: https://go.dev/cl/417065
	- fix: https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59
	- report: https://go.dev/issue/53415
	- web: https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
	cve_metadata:
	id: CVE-2022-30630
	cwe: 'CWE-674: Uncontrolled Recursion'
	description: \|
	Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4
	allows an attacker to cause a panic due to stack exhaustion via a path
	which contains a large number of path separators.