CVE-2022-32190 — Path Traversal in Standard Library NET URL

CWE-22 — Path Traversal7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 61.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library NET URL Golang GO

Timeline

PublishedSep 13

Latest updateSep 14

Description

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5go_standard_library/net_url1.19.0-0 — 1.19.1

▶NVDgolang/go1.19.0

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: pkg.go.dev ↗

🔴Vulnerability Details

GHSA

GHSA-q856-gh5w-3vwg: JoinPath and URL↗2022-09-14

▶

CVEList

Failure to strip relative path components in net/url↗2022-09-13

▶

OSV

CVE-2022-32190: JoinPath and URL↗2022-09-13

▶

OSV

Failure to strip relative path components in net/url↗2022-09-12

▶

📋Vendor Advisories

Red Hat

golang: net/url: JoinPath does not strip relative path components in all circumstances↗2022-09-06

▶

Debian

CVE-2022-32190: golang-1.15 - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative...↗2022

▶