Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-32190

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

Published

2022-09-13T18:15:14.507

Last Modified

2024-11-21T07:05:53.640

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	1.19.0	Yes
Application	golang	go	1.19.0	Yes
Application	golang	go	1.19.0	Yes
Application	golang	go	1.19.0	Yes

References

https://go.dev/cl/423514 Patch, Release Notes ([email protected])
https://go.dev/issue/54385 Issue Tracking, Patch, Vendor Advisory ([email protected])
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s Mailing List, Third Party Advisory ([email protected])
https://pkg.go.dev/vuln/GO-2022-0988 Issue Tracking, Patch, Vendor Advisory ([email protected])
https://go.dev/cl/423514 Patch, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://go.dev/issue/54385 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://pkg.go.dev/vuln/GO-2022-0988 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)