ByteOS Network

Vulnerability Details :

CVE-2022-41722

Assigner-Go

Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc

Published At-28 Feb, 2023 | 17:19

Updated At-07 Mar, 2025 | 17:58

Path traversal on Windows in path/filepath

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Go

Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc

Published At:28 Feb, 2023 | 17:19

Updated At:07 Mar, 2025 | 17:58

▼CVE Numbering Authority (CNA)

Path traversal on Windows in path/filepath

Affected Products

Vendor

Go standard library

Product

path/filepath

Collection URL

https://pkg.go.dev

Package Name

path/filepath

Program Routines

Clean
Abs
Dir
EvalSymlinks
Glob
IsLocal
Join
Rel
Walk
WalkDir

Platforms

windows

Default Status

unaffected

Versions

Affected

From 0 before 1.19.6 (semver)
From 1.20.0-0 before 1.20.1 (semver)

Problem Types

Type	CWE ID	Description
N/A	N/A	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")

Type: N/A

CWE ID: N/A

Description: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")

Credits

RyotaK (https://ryotak.net)

References

Hyperlink	Resource
https://go.dev/issue/57274	N/A
https://go.dev/cl/468123	N/A
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E	N/A
https://pkg.go.dev/vuln/GO-2023-1568	N/A

Hyperlink: https://go.dev/issue/57274

Resource: N/A

Hyperlink: https://go.dev/cl/468123

Resource: N/A

Hyperlink: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Resource: N/A

Hyperlink: https://pkg.go.dev/vuln/GO-2023-1568

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://go.dev/issue/57274	x_transferred
https://go.dev/cl/468123	x_transferred
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E	x_transferred
https://pkg.go.dev/vuln/GO-2023-1568	x_transferred

Hyperlink: https://go.dev/issue/57274

Resource:

x_transferred

Hyperlink: https://go.dev/cl/468123

Resource:

x_transferred

Hyperlink: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Resource:

x_transferred

Hyperlink: https://pkg.go.dev/vuln/GO-2023-1568

Resource:

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@golang.org

Published At:28 Feb, 2023 | 18:15

Updated At:07 Nov, 2023 | 03:52

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Type: Primary

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CPE Matches

Microsoft Corporation

>>windows>>-

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

>>go>>Versions before 1.19.6(exclusive)

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

>>go>>1.20.0

cpe:2.3:a:golang:go:1.20.0:-:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-22	Primary	nvd@nist.gov

CWE ID: CWE-22

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://go.dev/cl/468123	security@golang.org	Issue Tracking
https://go.dev/issue/57274	security@golang.org	Issue Tracking
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E	security@golang.org	Mailing List Vendor Advisory
https://pkg.go.dev/vuln/GO-2023-1568	security@golang.org	Vendor Advisory

Hyperlink: https://go.dev/cl/468123

Source: security@golang.org

Resource:

Issue Tracking

Hyperlink: https://go.dev/issue/57274

Source: security@golang.org

Resource:

Issue Tracking

Hyperlink: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E

Source: security@golang.org

Resource:

Mailing List

Vendor Advisory

Hyperlink: https://pkg.go.dev/vuln/GO-2023-1568

Source: security@golang.org

Resource:

Vendor Advisory

CVE-2022-41722

Credits

Path traversal on Windows in path/filepath

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs