Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-32190

Опубликовано: 06 сент. 2022
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

A flaw was found in the golang package. The JoinPath doesn't remove the ../ path components appended to a domain that is not terminated by a slash, possibly leading to a directory traversal attack.

Отчет

The vulnerable functions, JoinPath and URL.JoinPath was introduced in upstream go1.19, whereas, RHEL ships go1.17 and go1.18 versions, which does not contain the vulnerable code. Hence, packages shipped with RHEL-8, RHEL-9 are not affected. All Y stream releases of OpenShift Container Platform 4 run on RHEL-8 or RHEL-9, so OCP 4 is also not affected.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Custom Metric Autoscaler operator for Red Hat Openshiftcustom-metrics-autoscaler/custom-metrics-autoscaler-rhel8Not affected
mirror registry for Red Hat OpenShiftmirror-registry-containerAffected
Node HealthCheck Operatorworkload-availability/node-healthcheck-rhel8-operatorAffected
Node Maintenance Operatorworkload-availability/node-maintenance-rhel8-operatorAffected
OpenShift Developer Tools and ServiceshelmFix deferred
OpenShift Developer Tools and ServicesodoAffected
OpenShift Pipelinesopenshift-pipelines-clientWill not fix
OpenShift Serverlessopenshift-serverless-1/client-kn-rhel8Will not fix
OpenShift Serverlessopenshift-serverless-clientsWill not fix
OpenShift Service Mesh 2openshift-golang-builder-containerNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=2124668golang: net/url: JoinPath does not strip relative path components in all circumstances

EPSS

Процентиль: 24%
0.00076
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-32190

CVSS3: 7.5
ubuntu
почти 3 года назад

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

nvd логотип

CVE-2022-32190

CVSS3: 7.5
nvd
почти 3 года назад

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

debian логотип

CVE-2022-32190

CVSS3: 7.5
debian
почти 3 года назад

JoinPath and URL.JoinPath do not remove ../ path elements appended to ...

github логотип

GHSA-q856-gh5w-3vwg

CVSS3: 9.8
github
почти 3 года назад

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

suse-cvrf логотип

SUSE-SU-2022:3326-1

suse-cvrf
больше 2 лет назад

Security update for go1.19

EPSS

Процентиль: 24%
0.00076
Низкий

7.5 High

CVSS3