Описание
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
A flaw was found in Go, where it could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests by the filepath.Clean on Windows package. This flaw allows an attacker to send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Отчет
This CVE is specific to versions of Go on Windows. It does not affect any packages shipped with Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9.
The following components were fixed in RHSA-2023:3366 and have therefore been marked as "Not Affected": openshift, cri-tools, cri-o, containernetworking-plugins and conmon
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-operator-rhel9 | Not affected | ||
| Cryostat 2 | cryostat-tech-preview/cryostat-rhel8-operator | Under investigation | ||
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Migration Toolkit for Applications 6 | mta/mta-hub-rhel8 | Not affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-velero-plugin-rhel8 | Not affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-rhel8-operator | Not affected | ||
| mirror registry for Red Hat OpenShift | mirror-registry-container | Not affected | ||
| Network Observability Operator | network-observability/network-observability-rhel9-operator | Not affected | ||
| Node HealthCheck Operator | workload-availability/node-healthcheck-rhel8-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
A path traversal vulnerability exists in filepath.Clean on Windows. On ...
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".
EPSS
7.5 High
CVSS3