CVE-2022-41720Path Traversal in Standard Library NET Http

CWE-22Path Traversal8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 89.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Standard Library NET HttpGO Standard Library OSGolang GO
Timeline
PublishedDec 7
Latest updateJan 15

Description

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously craft

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5go_standard_library/net_http1.19.0-01.19.4+1
NVDgolang/go1.19.01.19.4+1
CVEListV5go_standard_library/os1.19.0-01.19.4+1

Patches

Patch: go.devPatch: groups.google.comPatch: pkg.go.dev

🔴Vulnerability Details

4
CVEList
Restricted file access on Windows in os and net/http2022-12-07
OSV
Restricted file access on Windows in os and net/http2022-12-07
GHSA
GHSA-cvf9-g74c-vv79: On Windows, restricted files can be accessed via os2022-12-07
OSV
CVE-2022-41720: On Windows, restricted files can be accessed via os2022-12-07

📋Vendor Advisories

3
Oracle
Oracle Oracle Communications Applications Risk Matrix: Core (Go) — CVE-2022-417202023-01-15
Red Hat
golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows2022-12-07
Debian
CVE-2022-41720: golang-1.15 - On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.D...2022
CVE-2022-41720 — Path Traversal | cvebase