data/cve/v5/GO-2024-2961.json - vulndb - Git at Google

 {
   "dataType": "CVE_RECORD",
   "dataVersion": "5.0",
   "cveMetadata": {
     "cveId": "CVE-2022-30636"
   },
   "containers": {
     "cna": {
       "providerMetadata": {
         "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
       },
       "title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto",
       "descriptions": [
         {
           "lang": "en",
           "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."
         }
       ],
       "affected": [
         {
           "vendor": "golang.org/x/crypto",
           "product": "golang.org/x/crypto/acme/autocert",
           "collectionURL": "https://pkg.go.dev",
           "packageName": "golang.org/x/crypto/acme/autocert",
           "versions": [
             {
               "version": "0",
               "lessThan": "0.0.0-20220525230936-793ad666bf5e",
               "status": "affected",
               "versionType": "semver"
             }
           ],
           "platforms": [
             "windows"
           ],
           "programRoutines": [
             {
               "name": "DirCache.Get"
             },
             {
               "name": "DirCache.Put"
             },
             {
               "name": "DirCache.Delete"
             },
             {
               "name": "HostWhitelist"
             },
             {
               "name": "Manager.GetCertificate"
             },
             {
               "name": "Manager.Listener"
             },
             {
               "name": "NewListener"
             },
             {
               "name": "listener.Accept"
             },
             {
               "name": "listener.Close"
             }
           ],
           "defaultStatus": "unaffected"
         }
       ],
       "problemTypes": [
         {
           "descriptions": [
             {
               "lang": "en",
               "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
             }
           ]
         }
       ],
       "references": [
         {
           "url": "https://go.dev/cl/408694"
         },
         {
           "url": "https://go.dev/issue/53082"
         },
         {
           "url": "https://pkg.go.dev/vuln/GO-2024-2961"
         }
       ],
       "credits": [
         {
           "lang": "en",
           "value": "Juho Nurminen of Mattermost"
         }
       ]
     }
   }
 }
	{
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0",
	"cveMetadata": {
	"cveId": "CVE-2022-30636"
	},
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
	},
	"title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto",
	"descriptions": [
	{
	"lang": "en",
	"value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."
	}
	],
	"affected": [
	{
	"vendor": "golang.org/x/crypto",
	"product": "golang.org/x/crypto/acme/autocert",
	"collectionURL": "https://pkg.go.dev",
	"packageName": "golang.org/x/crypto/acme/autocert",
	"versions": [
	{
	"version": "0",
	"lessThan": "0.0.0-20220525230936-793ad666bf5e",
	"status": "affected",
	"versionType": "semver"
	}
	],
	"platforms": [
	"windows"
	],
	"programRoutines": [
	{
	"name": "DirCache.Get"
	},
	{
	"name": "DirCache.Put"
	},
	{
	"name": "DirCache.Delete"
	},
	{
	"name": "HostWhitelist"
	},
	{
	"name": "Manager.GetCertificate"
	},
	{
	"name": "Manager.Listener"
	},
	{
	"name": "NewListener"
	},
	{
	"name": "listener.Accept"
	},
	{
	"name": "listener.Close"
	}
	],
	"defaultStatus": "unaffected"
	}
	],
	"problemTypes": [
	{
	"descriptions": [
	{
	"lang": "en",
	"description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
	}
	]
	}
	],
	"references": [
	{
	"url": "https://go.dev/cl/408694"
	},
	{
	"url": "https://go.dev/issue/53082"
	},
	{
	"url": "https://pkg.go.dev/vuln/GO-2024-2961"
	}
	],
	"credits": [
	{
	"lang": "en",
	"value": "Juho Nurminen of Mattermost"
	}
	]
	}
	}
	}