CVE-2022-32190

Published Sep 13, 2022

Last updated a year ago

CVSS high 7.5

Overview

Description: JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
Source: security@golang.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

Weaknesses

nvd@nist.gov: CWE-22

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:golang:go:1.19.0:-:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "897B57CA-3B3C-4481-AB48-0DC0F9F7E88D"
          },
          {
            "criteria": "cpe:2.3:a:golang:go:1.19.0:beta1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B24A1D2C-FF92-4C87-8377-41386988C5B4"
          },
          {
            "criteria": "cpe:2.3:a:golang:go:1.19.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "724EF8B4-9AA2-45CB-B55B-4697CC6D8353"
          },
          {
            "criteria": "cpe:2.3:a:golang:go:1.19.0:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "438A873A-3DAC-47BD-9919-2DFAC5C1F767"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References