| id: GO-2023-1568 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.19.6 |
| - introduced: 1.20.0-0 |
| fixed: 1.20.1 |
| vulnerable_at: 1.20.0 |
| packages: |
| - package: path/filepath |
| goos: |
| - windows |
| symbols: |
| - Clean |
| derived_symbols: |
| - Abs |
| - Dir |
| - EvalSymlinks |
| - Glob |
| - IsLocal |
| - Join |
| - Rel |
| - Walk |
| - WalkDir |
| summary: Path traversal on Windows in path/filepath |
| description: |- |
| A path traversal vulnerability exists in filepath.Clean on Windows. |
| |
| On Windows, the filepath.Clean function could transform an invalid path such as |
| "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if |
| invalid) path into an absolute path could enable a directory traversal attack. |
| |
| After fix, the filepath.Clean function transforms this path into the relative |
| (but still invalid) path ".\c:\b". |
| credits: |
| - RyotaK (https://ryotak.net) |
| references: |
| - report: https://go.dev/issue/57274 |
| - fix: https://go.dev/cl/468123 |
| - web: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E |
| cve_metadata: |
| id: CVE-2022-41722 |
| cwe: | |
| CWE-22: Improper Limitation of a Pathname to a Restricted |
| Directory ("Path Traversal") |
