data/reports/GO-2022-0988.yaml - vulndb - Git at Google

 modules:
   - module: std
     versions:
       - introduced: 1.19.0
         fixed: 1.19.1
     vulnerable_at: 1.19.0
     packages:
       - package: net/url
         symbols:
           - URL.JoinPath
         derived_symbols:
           - JoinPath
 description: |
     JoinPath and URL.JoinPath do not remove ../ path elements appended
     to a relative path. For example, JoinPath("https://go.dev", "../go")
     returns the URL "https://go.dev/../go", despite the JoinPath documentation
     stating that ../ path elements are removed from the result.
 published: 2022-09-12T20:23:15Z
 credit: '@q0jt'
 references:
   - web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
   - report: https://go.dev/issue/54385
   - fix: https://go.dev/cl/423514
 cve_metadata:
     id: CVE-2022-32190
     cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
         Traversal'')'
	modules:
	- module: std
	versions:
	- introduced: 1.19.0
	fixed: 1.19.1
	vulnerable_at: 1.19.0
	packages:
	- package: net/url
	symbols:
	- URL.JoinPath
	derived_symbols:
	- JoinPath
	description: \|
	JoinPath and URL.JoinPath do not remove ../ path elements appended
	to a relative path. For example, JoinPath("https://go.dev", "../go")
	returns the URL "https://go.dev/../go", despite the JoinPath documentation
	stating that ../ path elements are removed from the result.
	published: 2022-09-12T20:23:15Z
	credit: '@q0jt'
	references:
	- web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
	- report: https://go.dev/issue/54385
	- fix: https://go.dev/cl/423514
	cve_metadata:
	id: CVE-2022-32190
	cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path
	Traversal'')'