CVE-2022-29804

Published on: Not Yet Published

Last Modified on: 09/06/2022 06:15:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Go from Golang contain the following vulnerability:

In filepath.Clean in path/filepath in Go before 1.17.11 and 1.18.x before 1.18.3 on Windows, invalid paths such as .\c: could be converted to valid paths (such as c: in this example).

  • CVE-2022-29804 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVE References

Description Tags Link
No Description Provided go.dev
text/html
URL Logo MISC go.dev/cl/401595
9cd1818a7d019c02fa4898b3e45a323e35033290 - go - Git at Google go.googlesource.com
text/html
URL Logo MISC go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
GO-2022-0533 - Go Packages pkg.go.dev
text/html
URL Logo MISC pkg.go.dev/vuln/GO-2022-0533
[security] Go 1.18.3 and Go 1.17.11 are released groups.google.com
text/html
URL Logo MISC groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
golang-announce - Google Groups groups.google.com
text/html
URL Logo MISC groups.google.com/g/golang-announce
path/filepath: Clean(`.\c:`) returns `c:` on Windows · Issue #52476 · golang/go · GitHub go.dev
text/html
URL Logo MISC go.dev/issue/52476
[security] Go 1.18.3 and Go 1.17.11 are released groups.google.com
text/html
URL Logo CONFIRM groups.google.com/g/golang-announce/c/TzIC9-t8Ytg

Related QID Numbers

  • 159981 Oracle Enterprise Linux Security Update for go-toolset:ol8addon (ELSA-2022-17956)
  • 159984 Oracle Enterprise Linux Security Update for ol8addon (ELSA-2022-17957)
  • 502459 Alpine Linux Security Update for go
  • 690876 Free Berkeley Software Distribution (FreeBSD) Security Update for go (15888c7e-e659-11ec-b7fe-10c37b4ac2ea)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationGolangGoAllAllAllAll
Operating
System
MicrosoftWindows-AllAllAll
  • cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @mattn_jp Go 1.19 の freeze までに CVE-2022-29804 の修正が入って良かった。 2022-06-07 00:55:41
Twitter Icon @vigilance_fr [email protected] #Vulnérabilité de Go : quatre vulnérabilités. vigilance.fr/vulnerabilite/… Références : #CVE-2022-29804, #CVE-… twitter.com/i/web/status/1… 2022-06-08 06:09:03
Twitter Icon @vigilance_en [email protected] #Vulnerability of Go: four vulnerabilities. vigilance.fr/vulnerability/… Identifiers: #CVE-2022-29804, #CVE-20… twitter.com/i/web/status/1… 2022-06-08 06:09:04
Twitter Icon @mattn_jp CVE-2022-29804 の詳細が公開されたのでお伝えしておきます。path/filepath に問題があり Windows で Go のウェブサーバを起動すると不正なパスのリクエストによりドライブ直下から全てのファイルが参照… twitter.com/i/web/status/1… 2022-08-10 01:13:25
Twitter Icon @ipssignatures The vuln CVE-2022-29804 has a tweet created 0 days ago and retweeted 107 times. twitter.com/mattn_jp/statu… #pow2rtrtwwcve 2022-08-10 06:06:00
Twitter Icon @m2i_tw CVE-2022-29804 have been released: there is a problem with path/filepath and when starting the Golang for Web Serve… twitter.com/i/web/status/1… 2022-08-10 14:30:14
Twitter Icon @CVEreport CVE-2022-29804 : Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath b… twitter.com/i/web/status/1… 2022-08-10 20:40:31
Reddit Logo Icon /r/netcve CVE-2022-29804 2022-08-10 21:38:24
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report