Main Vulnerability Database Vulnerabilities #VU73721

#VU73721 Path traversal in Go programming language - CVE-2022-41722

Published: March 15, 2023

Vulnerability identifier: #VU73721

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-41722

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Go programming language

Software vendor:
Google

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the filepath.Clean() function on Windows, which can transform an invalid path such as "a/../c:/b" into the valid path "c:". As a result, an attacker can read arbitrary files on the system.

Remediation

Install update from vendor's website.

External links

https://pkg.go.dev/vuln/GO-2023-1568
https://go.dev/cl/468123
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://go.dev/issue/57274