Path traversal in Go programming language

#VU70332 Path traversal in Go programming language

Published: 2022-12-14

Vulnerability identifier: #VU70332

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41720

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the way os.DirFS function and http.Dir type handle empty values on Windows, allowing an attacker with control over the path to view arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Go programming language: 1.19 - 1.19.3, 1.18 - 1.18.8

External links
http://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
http://pkg.go.dev/vuln/GO-2022-1143
http://go.dev/cl/455716
http://go.dev/issue/56694

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Monitoring

Multiple vulnerabilities in IBM Cloud Pak System

Multiple vulnerabilities in IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Splunk Enterprise update for third-party packages

Multiple vulnerabilities in Oracle Solaris third-party software

Fedora EPEL 7 update for golang

SUSE update for go1.18-openssl

SUSE update for container-suseconnect

Multiple vulnerabilities in Communications Unified Assurance

HashiCorp Consul update for Go