Vulnerability Name:

CVE-2022-41722 (CCN-248950)

Assigned:2022-12-12
Published:2022-12-12
Updated:2023-03-10
Summary:Go could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests by the filepath.Clean on Windows package. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2022-41722

Source: XF
Type: UNKNOWN
go-cve202241722-dir-trav(248950)

Source: CCN
Type: Go GIT Repository
path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722) #57274

Source: security@golang.org
Type: Issue Tracking
security@golang.org

Source: security@golang.org
Type: Issue Tracking
security@golang.org

Source: security@golang.org
Type: Mailing List, Vendor Advisory
security@golang.org

Source: CCN
Type: Go Vulnerability Database
Vulnerability Report: GO-2023-1568

Source: security@golang.org
Type: Vendor Advisory
security@golang.org

Vulnerability Name:

CVE-2022-41722 (CCN-248952)

Assigned:2022-09-28
Published:2023-02-16
Updated:2023-02-28
Summary:Golang Go could allow a remote attacker to traverse directories on the system, caused by a flaw in the the filepath.Clean function. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): 
Attack Complexity (AC): 
Privileges Required (PR): 
User Interaction (UI): 
Scope:Scope (S): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2022-41722

Source: XF
Type: UNKNOWN
golang-cve202241722-dir-traversal(248952)

Source: CCN
Type: GO-2023-1568
filepath.Clean

Source: CCN
Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent)
Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 7004575 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go

Source: CCN
Type: IBM Security Bulletin 7005589 (Spectrum Protect Plus)
Vulnerabilities in Apache Commons, Tomcat, Go, libcurl, OpenSSL, Python, Node.js, and Linux can affect IBM Spectrum Protect Plus.

Source: CCN
Type: IBM Security Bulletin 7009921 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is affected by multiple vulnerabilities in Golang Go

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:golang:go:1.19.5:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8013
    P
    		go1.19-1.19.9-150000.1.31.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:8014
    P
    		go1.20-1.20.4-150000.1.11.1 on GA media (Moderate)
    2023-06-20
    BACK
    golang go 1.19.5
    ibm spectrum protect plus 10.1.0