Vulnerability Description
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.19.6 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://go.dev/cl/468123Issue Tracking
- https://go.dev/issue/57274Issue Tracking
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_EMailing ListVendor Advisory
- https://pkg.go.dev/vuln/GO-2023-1568Vendor Advisory
- https://go.dev/cl/468123Issue Tracking
- https://go.dev/issue/57274Issue Tracking
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_EMailing ListVendor Advisory
- https://pkg.go.dev/vuln/GO-2023-1568Vendor Advisory
FAQ
What is CVE-2022-41722?
CVE-2022-41722 is a vulnerability with a CVSS score of 7.5 (HIGH). A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transfo...
How severe is CVE-2022-41722?
CVE-2022-41722 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-41722?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Microsoft Windows.