Main Vulnerability Database Vulnerabilities #VU70332

Path traversal in Go programming language - CVE-2022-41720

Published: December 14, 2022

Vulnerability identifier: #VU70332

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-41720

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Go programming language

Detailed vulnerability description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the way os.DirFS function and http.Dir type handle empty values on Windows, allowing an attacker with control over the path to view arbitrary files on the system.

How to mitigate CVE-2022-41720

Install update from vendor's website.

Sources

https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
https://pkg.go.dev/vuln/GO-2022-1143
https://go.dev/cl/455716
https://go.dev/issue/56694

Path traversal in Go programming language - CVE-2022-41720

Detailed vulnerability description

How to mitigate CVE-2022-41720

Sources

Please verify you're human