blob: 3c2b566db5c8acc53dcf130de2642b64050f6e25 [file] [log] [blame]
id: GO-2022-0533
modules:
- module: std
versions:
- fixed: 1.17.11
- introduced: 1.18.0-0
- fixed: 1.18.3
vulnerable_at: 1.18.2
packages:
- package: path/filepath
goos:
- windows
symbols:
- Clean
summary: Path traversal via Clean on Windows in path/filepath
description: |-
On Windows, the filepath.Clean function can convert certain invalid paths to
valid, absolute paths, potentially allowing a directory traversal attack.
For example, Clean(".\c:") returns "c:".
published: 2022-07-28T17:25:07Z
credits:
- Unrud
references:
- fix: https://go.dev/cl/401595
- fix: https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
- report: https://go.dev/issue/52476
- web: https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
cve_metadata:
id: CVE-2022-29804
cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')'
description: |-
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean
in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential
directory traversal attack.
review_status: REVIEWED