CVE-2022-29804

Name
CVE-2022-29804
Description
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
MISC https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
MISC https://pkg.go.dev/vuln/GO-2022-0533
MISC https://go.dev/cl/401595
MISC https://go.dev/issue/52476
MISC https://groups.google.com/g/golang-announce
CONFIRM https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg

Match rules

CPE URI Source package Min version Max version

Vulnerable and fixed packages

Source package Branch Version Maintainer Status