CVE-2022-30636

July 2, 2024, 8:15 p.m.

None
No Score

Description

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

Product(s) Impacted

Product Versions
Go programming language

Weaknesses

References

https://go.dev/cl/408694
https://go.dev/issue/53082
https://pkg.go.dev/vuln/GO-2024-2961

Tags

security@golang.org
2024-07-02
CVE-2022-30636

Date

  • Published: July 2, 2024, 8:15 p.m.
  • Last Modified: July 2, 2024, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@golang.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.