CVE-2022-41722
published 2023-02-28CVE-2022-41722: A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b"…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.68%
74.0th percentile
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.19 1.19.6-2 (bookworm) | golang-1.19 1.19.6-2 (bookworm) |
| debian | golang-1.19 | < golang-1.19 1.19.6-2 (bookworm) | golang-1.19 1.19.6-2 (bookworm) |
| go_standard_library | path_filepath | < 1.19.6 | 1.19.6 |
| go_standard_library | path_filepath | >= 1.20.0-0 < 1.20.1 | 1.20.1 |
| golang | go | < 1.19.6 | 1.19.6 |
| golang | go | — | — |
| msrc | azl3_golang_1.22.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.22.7-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.19.8-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_golang_1.17.13-2_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: path/filepath: path-filepath filepath.Clean path traversal
vendor_redhat·2023-02-15·CVSS 7.5
CVE-2022-41722 [HIGH] CWE-22 golang: path/filepath: path-filepath filepath.Clean path traversal
golang: path/filepath: path-filepath filepath.Clean path traversal
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
A flaw was found in Go, where it could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests by the filepath.Clean on Windows package. This flaw allows an attacker to send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitra
Microsoft
Path traversal on Windows in path/filepath
vendor_msrc·2023-02-14·CVSS 7.5
CVE-2022-41722 [HIGH] CWE-22 Path traversal on Windows in path/filepath
Path traversal on Windows in path/filepath
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-u
Debian
CVE-2022-41722: golang-1.15 - A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, ...
vendor_debian·2022·CVSS 7.5
CVE-2022-41722 [HIGH] CVE-2022-41722: golang-1.15 - A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, ...
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
Scope: local
bullseye: open
OSV
CVE-2022-41722: A path traversal vulnerability exists in filepath
osv·2023-02-28·CVSS 7.5
CVE-2022-41722 [HIGH] CVE-2022-41722: A path traversal vulnerability exists in filepath
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
GHSA
GHSA-fp44-cj2j-3jhx: A path traversal vulnerability exists in filepath
ghsa_unreviewed·2023-02-28
CVE-2022-41722 [HIGH] CWE-22 GHSA-fp44-cj2j-3jhx: A path traversal vulnerability exists in filepath
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
OSV
Path traversal on Windows in path/filepath
osv·2023-02-16
CVE-2022-41722 Path traversal on Windows in path/filepath
Path traversal on Windows in path/filepath
A path traversal vulnerability exists in filepath.Clean on Windows.
On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack.
After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-02-28
Published