CVE-2022-30636 (GCVE-0-2022-30636)
Vulnerability from cvelistv5 – Published: 2024-07-02 19:51 – Updated: 2024-08-07 16:21
VLAI
Title
Limited directory traversal vulnerability on Windows in golang.org/x/crypto
Summary
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.
Severity
7.5 (High)
CWE
- CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/crypto | golang.org/x/crypto/acme/autocert |
Affected:
0 , < 0.0.0-20220525230936-793ad666bf5e
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:56:13.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/408694"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/53082"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2024-2961"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crypto",
"vendor": "golang",
"versions": [
{
"lessThan": "0.0.0-20220525230936-793ad666bf5e",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-30636",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T13:57:10.933970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T16:21:06.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/crypto/acme/autocert",
"platforms": [
"windows"
],
"product": "golang.org/x/crypto/acme/autocert",
"programRoutines": [
{
"name": "DirCache.Get"
},
{
"name": "DirCache.Put"
},
{
"name": "DirCache.Delete"
},
{
"name": "HostWhitelist"
},
{
"name": "Manager.GetCertificate"
},
{
"name": "Manager.Listener"
},
{
"name": "NewListener"
},
{
"name": "listener.Accept"
},
{
"name": "listener.Close"
}
],
"vendor": "golang.org/x/crypto",
"versions": [
{
"lessThan": "0.0.0-20220525230936-793ad666bf5e",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juho Nurminen of Mattermost"
}
],
"descriptions": [
{
"lang": "en",
"value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T19:51:46.635Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/408694"
},
{
"url": "https://go.dev/issue/53082"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-2961"
}
],
"title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-30636",
"datePublished": "2024-07-02T19:51:46.635Z",
"dateReserved": "2022-05-12T19:48:54.308Z",
"dateUpdated": "2024-08-07T16:21:06.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-30636",
"date": "2026-05-27",
"epss": "0.00189",
"percentile": "0.40421"
},
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\\\..\\\\asd becomes ..\\\\..\\\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.\"}, {\"lang\": \"es\", \"value\": \"httpTokenCacheKey usa path.Base para extraer el valor del token HTTP-01 esperado para buscarlo en la implementaci\\u00f3n de DirCache. En Windows, path.Base act\\u00faa de manera diferente a filepath.Base, ya que Windows usa un separador de ruta diferente (\\\\ vs. /), lo que permite al usuario proporcionar una ruta relativa, es decir, .well-known/acme-challenge/..\\\\. .\\\\asd se convierte en ..\\\\..\\\\asd. Luego, la ruta extra\\u00edda tiene el sufijo +http-01, se une al directorio de cach\\u00e9 y se abre. Dado que la ruta controlada tiene el sufijo +http-01 antes de abrirse, el impacto de esto es significativamente limitado, ya que solo permite leer archivos arbitrarios en el sistema si y solo si tienen este sufijo.\"}]",
"id": "CVE-2022-30636",
"lastModified": "2024-11-21T07:03:04.590",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2024-07-02T20:15:05.173",
"references": "[{\"url\": \"https://go.dev/cl/408694\", \"source\": \"security@golang.org\"}, {\"url\": \"https://go.dev/issue/53082\", \"source\": \"security@golang.org\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-2961\", \"source\": \"security@golang.org\"}, {\"url\": \"https://go.dev/cl/408694\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://go.dev/issue/53082\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-2961\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Awaiting Analysis"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-30636\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2024-07-02T20:15:05.173\",\"lastModified\":\"2024-11-21T07:03:04.590\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\\\..\\\\asd becomes ..\\\\..\\\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.\"},{\"lang\":\"es\",\"value\":\"httpTokenCacheKey usa path.Base para extraer el valor del token HTTP-01 esperado para buscarlo en la implementaci\u00f3n de DirCache. En Windows, path.Base act\u00faa de manera diferente a filepath.Base, ya que Windows usa un separador de ruta diferente (\\\\ vs. /), lo que permite al usuario proporcionar una ruta relativa, es decir, .well-known/acme-challenge/..\\\\. .\\\\asd se convierte en ..\\\\..\\\\asd. Luego, la ruta extra\u00edda tiene el sufijo +http-01, se une al directorio de cach\u00e9 y se abre. Dado que la ruta controlada tiene el sufijo +http-01 antes de abrirse, el impacto de esto es significativamente limitado, ya que solo permite leer archivos arbitrarios en el sistema si y solo si tienen este sufijo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"references\":[{\"url\":\"https://go.dev/cl/408694\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/issue/53082\",\"source\":\"security@golang.org\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2024-2961\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/cl/408694\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://go.dev/issue/53082\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2024-2961\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2024-07-02T19:51:46.635Z\"}, \"title\": \"Limited directory traversal vulnerability on Windows in golang.org/x/crypto\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\\\..\\\\asd becomes ..\\\\..\\\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.\"}], \"affected\": [{\"vendor\": \"golang.org/x/crypto\", \"product\": \"golang.org/x/crypto/acme/autocert\", \"collectionURL\": \"https://pkg.go.dev\", \"packageName\": \"golang.org/x/crypto/acme/autocert\", \"versions\": [{\"version\": \"0\", \"lessThan\": \"0.0.0-20220525230936-793ad666bf5e\", \"status\": \"affected\", \"versionType\": \"semver\"}], \"platforms\": [\"windows\"], \"programRoutines\": [{\"name\": \"DirCache.Get\"}, {\"name\": \"DirCache.Put\"}, {\"name\": \"DirCache.Delete\"}, {\"name\": \"HostWhitelist\"}, {\"name\": \"Manager.GetCertificate\"}, {\"name\": \"Manager.Listener\"}, {\"name\": \"NewListener\"}, {\"name\": \"listener.Accept\"}, {\"name\": \"listener.Close\"}], \"defaultStatus\": \"unaffected\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE 22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"references\": [{\"url\": \"https://go.dev/cl/408694\"}, {\"url\": \"https://go.dev/issue/53082\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-2961\"}], \"credits\": [{\"lang\": \"en\", \"value\": \"Juho Nurminen of Mattermost\"}]}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T06:56:13.171Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://go.dev/cl/408694\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://go.dev/issue/53082\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-2961\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-30636\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-03T13:57:10.933970Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*\"], \"vendor\": \"golang\", \"product\": \"crypto\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.0.0-20220525230936-793ad666bf5e\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-03T14:04:06.511Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2022-30636\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Go\", \"dateReserved\": \"2022-05-12T19:48:54.308Z\", \"datePublished\": \"2024-07-02T19:51:46.635Z\", \"dateUpdated\": \"2024-08-07T16:21:06.868Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…