CVE-2023-45283Path Traversal in Standard Library Path Filepath

CWE-22Path Traversal7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 45.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Standard Library Internal SafefilepathGO Standard Library Path FilepathGolang GO
Timeline
PublishedNov 9
Latest updateNov 14

Description

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Joi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5go_standard_library/path_filepath1.21.0-01.21.4+3
CVEListV5go_standard_library/internal_safefilepath1.21.0-01.21.4+1
NVDgolang/go1.21.0-01.21.4+1

🔴Vulnerability Details

4
OSV
CVE-2023-45283: The filepath package does not recognize paths with a \??\ prefix as special2023-11-09
CVEList
Insecure parsing of Windows paths with a \??\ prefix in path/filepath2023-11-09
GHSA
GHSA-vvjp-q62m-2vph: The filepath package does not recognize paths with a \??\ prefix as special2023-11-09
OSV
Insecure parsing of Windows paths with a \??\ prefix in path/filepath2023-11-08

📋Vendor Advisories

2
Microsoft
Insecure parsing of Windows paths with a \??\ prefix in path/filepath2023-11-14
Debian
CVE-2023-45283: golang-1.15 - The filepath package does not recognize paths with a \??\ prefix as special. On ...2023
CVE-2023-45283 — Path Traversal | cvebase