CVE-2022-29804
published 2022-08-10CVE-2022-29804: Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.87%
76.7th percentile
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| go_standard_library | path_filepath | < 1.17.11 | 1.17.11 |
| go_standard_library | path_filepath | >= 1.18.0-0 < 1.18.3 | 1.18.3 |
| golang | go | < 1.17.11 | 1.17.11 |
| golang | go | >= 1.18.0 < 1.18.3 | 1.18.3 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | microsoft_visual_studio_2022_version_17.10 | — | — |
| msrc | microsoft_visual_studio_2022_version_17.12 | — | — |
| msrc | microsoft_visual_studio_2022_version_17.13 | — | — |
| msrc | microsoft_visual_studio_2022_version_17.8 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_debian7.5LOW
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Google Go up to 1.17.10/1.18.2 on Windows path-filepath Clean pathname traversal (EUVD-2022-34125)
vuldb·2026-05-23·CVSS 7.5
CVE-2022-29804 [HIGH] Google Go up to 1.17.10/1.18.2 on Windows path-filepath Clean pathname traversal (EUVD-2022-34125)
A vulnerability was found in Google Go up to 1.17.10/1.18.2 on Windows. It has been declared as critical. This affects the function Clean of the component path-filepath. Executing a manipulation can lead to pathname traversal.
This vulnerability is registered as CVE-2022-29804. It is possible to launch the attack remotely. No exploit is available.
It is recommended to upgrade the affected component.
GHSA
GHSA-4r7w-gv7f-q74g: Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1
ghsa_unreviewed·2022-08-11
CVE-2022-29804 [HIGH] CWE-22 GHSA-4r7w-gv7f-q74g: Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
OSV
Path traversal via Clean on Windows in path/filepath
osv·2022-07-28
CVE-2022-29804 Path traversal via Clean on Windows in path/filepath
Path traversal via Clean on Windows in path/filepath
On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack.
For example, Clean(".\c:") returns "c:".
Microsoft
Visual Studio Elevation of Privilege Vulnerability
vendor_msrc·2025-04-08·CVSS 7.3
CVE-2025-29804 [HIGH] CWE-284 Visual Studio Elevation of Privilege Vulnerability
Visual Studio Elevation of Privilege Vulnerability
Description: Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally.
FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability?
An attacker who successfully exploited this vulnerability could gain the privileges of the authenticated user.
Visual Studio: Visual Studio
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Remediation: Release Notes
Reference: https://my.visualstudio.com/Downloads?q=Visual Studio 2022 version 17.13
Reference: https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-notes
Refere
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Microsoft
Path traversal via Clean on Windows in path/filepath
vendor_msrc·2022-08-09·CVSS 7.5
CVE-2022-29804 [HIGH] CWE-22 Path traversal via Clean on Windows in path/filepath
Path traversal via Clean on Windows in path/filepath
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Debian
CVE-2022-29804: golang-1.15 - Incorrect conversion of certain invalid paths to valid, absolute paths in Clean ...
vendor_debian·2022·CVSS 7.5
CVE-2022-29804 [HIGH] CVE-2022-29804: golang-1.15 - Incorrect conversion of certain invalid paths to valid, absolute paths in Clean ...
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
Scope: local
bullseye: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://go.dev/cl/401595https://go.dev/issue/52476https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJhttps://pkg.go.dev/vuln/GO-2022-0533https://go.dev/cl/401595https://go.dev/issue/52476https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJhttps://pkg.go.dev/vuln/GO-2022-0533
2022-08-10
Published