Vulnerability Report: GO-2022-0533

standard library

CVE-2022-29804
Affects: path/filepath
Published: Jul 28, 2022
Modified: May 20, 2024

On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. For example, Clean(".\c:") returns "c:".

Affected Packages

Path

Go Versions

Symbols
path/filepath

before go1.17.11, from go1.18.0-0 before go1.18.3
- Clean

Aliases

CVE-2022-29804

References

https://go.dev/cl/401595
https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
https://go.dev/issue/52476
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
https://vuln.go.dev/ID/GO-2022-0533.json

Credits

Unrud

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL