| Vulnerability Name: | CVE-2022-29804 (CCN-229857) | ||||||||||||||||||||||||||||||||||||
| Assigned: | 2022-06-01 | ||||||||||||||||||||||||||||||||||||
| Published: | 2022-06-01 | ||||||||||||||||||||||||||||||||||||
| Updated: | 2023-02-28 | ||||||||||||||||||||||||||||||||||||
| Summary: | Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw in the filepath.Clean function. By sending a specially-crafted request, an attacker could exploit this vulnerability to convert an invalid path to a valid, absolute path. | ||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:C/A:N)
| ||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-29804 Source: XF Type: UNKNOWN golang-cve202229804-sec-bypass(229857) Source: cve@mitre.org Type: Patch, Vendor Advisory cve@mitre.org Source: CCN Type: Golang Web site go1.18.3 (released 2022-06-01) Source: cve@mitre.org Type: Patch, Vendor Advisory cve@mitre.org Source: cve@mitre.org Type: Mailing List, Patch, Vendor Advisory cve@mitre.org Source: CCN Type: Golang Web page [security] Go 1.18.3 and Go 1.17.11 are released Source: cve@mitre.org Type: Mailing List, Release Notes cve@mitre.org Source: cve@mitre.org Type: Patch, Vendor Advisory cve@mitre.org Source: CCN Type: IBM Security Bulletin 6619905 (Spectrum Copy Data Management) Vulnerabilities in Golang Go, PostgreSQL, jQuery, and Google Gson may affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6619915 (Spectrum Protect Plus) Vulnerabilities in Linux Kernel, OpenSSL, Golang Go, and Zlib may affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6619963 (Spectrum Protect Plus) Vulnerabilities in Golang Go and MinIO may affect IBM Spectrum Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29804, CVE-2022-30580, CVE-2022-30629, CVE-2022-30634, CVE-2022-35919, CVE-2022-31028) Source: CCN Type: IBM Security Bulletin 6620897 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go Source: CCN Type: IBM Security Bulletin 6825557 (Event Streams) Multiple vulnerabilities in Golang Go affect IBM Event Streams Source: CCN Type: IBM Security Bulletin 6956311 (Cloud Pak for Multicloud Management) Multiple Vulnerabilities in Multicloud Management Security Services Source: CCN Type: IBM Security Bulletin 6966300 (Cloud Pak System Software Suite) IBM Cloud Pak System is vulnerable to multiple vulnerabilities in Golang Go Source: CCN Type: Mend Vulnerability Database CVE-2022-29804 | ||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||