CVE-2022-41720

CVSS V2 None CVSS V3 None
Description
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.
Overview
  • CVE ID
  • CVE-2022-41720
  • Assigner
  • security@golang.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-07T17:15:10
  • Last Modified Date
  • 2022-12-12T14:58:01
Weakness Enumerations
CWE URL
CWE-22 http://cwe.mitre.org/data/definitions/22.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* 1 OR 1.18.9
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* 1 OR 1.19.0 1.19.4
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 0 OR
References
Reference URL Reference Tags
https://go.dev/cl/455716
https://go.dev/issue/56694
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
https://pkg.go.dev/vuln/GO-2022-1143
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-41720
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41720
History
Created Old Value New Value Data Type Notes
2022-12-07 18:06:54 Added to TrackCVE
2022-12-07 21:15:58 2022-12-07T17:15:10.293 2022-12-07T17:15:10 CVE Published Date updated
2022-12-07 21:15:58 2022-12-07T21:00:47 CVE Modified Date updated
2022-12-07 21:15:58 Received Awaiting Analysis Vulnerability Status updated
2022-12-09 13:23:14 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2022-12-12 15:15:20 2022-12-12T14:58:01 CVE Modified Date updated
2022-12-12 15:15:20 Undergoing Analysis Analyzed Vulnerability Status updated
2022-12-12 15:15:20 CWE-22 Weakness Enumeration new
2022-12-12 15:15:21 CPE Information updated