PT-2022-21143 · Go.Dev+2 · Go.Dev+2

Q0Jt

Published

2022-09-12

Updated

2024-06-15

CVE-2022-32190

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions go.dev (affected versions not specified)

Description The issue concerns the JoinPath and URL.JoinPath functions, which do not remove ../ path elements appended to a relative path as expected. This is contrary to the documentation, which states that ../ path elements should be removed from the result. For instance, JoinPath("https://go.dev", "../go") returns "https://go.dev/../go".

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2022-2615

BIT-GOLANG-2022-32190

CVE-2022-32190

GO-2022-0988

MGASA-2022-0356

OPENSUSE-SU-2022_3326-1

OPENSUSE-SU-2024:12310-1

RHSA-2022:7398

RHSA-2023:3204

RHSA-2023:3613

SUSE-SU-2022:3326-1

Affected Products

Alt Linux

Suse

Go.Dev

PT-2022-21143 · Go.Dev+2 · Go.Dev+2

CVE-2022-32190

Weakness Enumeration

Related Identifiers

Affected Products

References · 25