data/reports/GO-2022-0988.yaml - vulndb - Git at Google

 id: GO-2022-0988
 modules:
     - module: std
       versions:
         - introduced: 1.19.0-0
           fixed: 1.19.1
       vulnerable_at: 1.19.0
       packages:
         - package: net/url
           symbols:
             - URL.JoinPath
           derived_symbols:
             - JoinPath
 summary: Failure to strip relative path components in net/url
 description: |-
     JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative
     path. For example, JoinPath("https://go.dev", "../go") returns the URL
     "https://go.dev/../go", despite the JoinPath documentation stating that ../ path
     elements are removed from the result.
 published: 2022-09-12T20:23:15Z
 credits:
     - '@q0jt'
 references:
     - web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
     - report: https://go.dev/issue/54385
     - fix: https://go.dev/cl/423514
 cve_metadata:
     id: CVE-2022-32190
     cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')'
	id: GO-2022-0988
	modules:
	- module: std
	versions:
	- introduced: 1.19.0-0
	fixed: 1.19.1
	vulnerable_at: 1.19.0
	packages:
	- package: net/url
	symbols:
	- URL.JoinPath
	derived_symbols:
	- JoinPath
	summary: Failure to strip relative path components in net/url
	description: \|-
	JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative
	path. For example, JoinPath("https://go.dev", "../go") returns the URL
	"https://go.dev/../go", despite the JoinPath documentation stating that ../ path
	elements are removed from the result.
	published: 2022-09-12T20:23:15Z
	credits:
	- '@q0jt'
	references:
	- web: https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
	- report: https://go.dev/issue/54385
	- fix: https://go.dev/cl/423514
	cve_metadata:
	id: CVE-2022-32190
	cwe: 'CWE-22: Improper Limitation of a Pathname to a Restricted Directory (''Path Traversal'')'