blob: b4b82fb9d2074d2495b3199cc66a73acf0d6d7b3 [file] [log] [blame]
id: GO-2022-0988
modules:
- module: std
versions:
- introduced: 1.19.0-0
- fixed: 1.19.1
vulnerable_at: 1.19.0
packages:
- package: net/url
symbols:
- URL.JoinPath
derived_symbols:
- JoinPath
summary: Failure to strip relative path components in net/url
description: |-
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative
path. For example, JoinPath("https://go.dev", "../go") returns the URL
"https://go.dev/../go", despite the JoinPath documentation stating that ../ path
elements are removed from the result.
published: 2022-09-12T20:23:15Z
credits:
- '@q0jt'
references:
- web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
- report: https://go.dev/issue/54385
- fix: https://go.dev/cl/423514
cve_metadata:
id: CVE-2022-32190
cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')'
review_status: REVIEWED