openEuler update for golang
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-29526 CVE-2022-29804 |
| CWE-ID | CWE-264 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
openEuler Operating systems & Components / Operating system golang-devel Operating systems & Components / Operating system package or component golang-help Operating systems & Components / Operating system package or component golang Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU63173
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29526
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the Faccessat function can incorrectly report that a file is accessible, when called with a non-zero flags parameter. An attacker can bypass implemented security restrictions.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1 - 22.03 LTS
golang-devel: before 1.15.7-16
golang-help: before 1.15.7-16
golang: before 1.15.7-16
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1857
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU73872
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29804
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the filepath.Clean function on Windows, which can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. A remote attacker can pass specially crafted data to the application and perform directory traversal attacks.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1 - 22.03 LTS
golang-devel: before 1.15.7-16
golang-help: before 1.15.7-16
golang: before 1.15.7-16
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1857
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
