| modules: |
| - module: std |
| versions: |
| - introduced: 1.19.0 |
| fixed: 1.19.1 |
| vulnerable_at: 1.19.0 |
| packages: |
| - package: net/url |
| symbols: |
| - URL.JoinPath |
| derived_symbols: |
| - JoinPath |
| description: | |
| JoinPath and URL.JoinPath do not remove ../ path elements appended |
| to a relative path. For example, JoinPath("https://go.dev", "../go") |
| returns the URL "https://go.dev/../go", despite the JoinPath documentation |
| stating that ../ path elements are removed from the result. |
| published: 2022-09-12T20:23:15Z |
| credit: '@q0jt' |
| references: |
| - web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s |
| - report: https://go.dev/issue/54385 |
| - fix: https://go.dev/cl/423514 |
| cve_metadata: |
| id: CVE-2022-32190 |
| cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path |
| Traversal'')' |