Main Vulnerability Database Vulnerabilities #VU70332

#VU70332 Path traversal in Go programming language - CVE-2022-41720

Published: December 14, 2022

Vulnerability identifier: #VU70332

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-41720

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Go programming language

Software vendor:
Google

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the way os.DirFS function and http.Dir type handle empty values on Windows, allowing an attacker with control over the path to view arbitrary files on the system.

Remediation

Install update from vendor's website.

External links

https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
https://pkg.go.dev/vuln/GO-2022-1143
https://go.dev/cl/455716
https://go.dev/issue/56694

#VU70332 Path traversal in Go programming language - CVE-2022-41720

Description

Remediation

External links

Please verify you're human