GO-2024-2961

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2024-2961
Import Source
https://vuln.go.dev/ID/GO-2024-2961.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2024-2961
Aliases
Published
2024-07-02T19:27:52Z
Modified
2024-07-02T19:57:24.068933Z
Summary
Limited directory traversal vulnerability on Windows in golang.org/x/crypto
Details

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/....\asd becomes ....\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened.

Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

Database specific 
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2961"
}
References
Credits
    • Juho Nurminen of Mattermost

Affected packages

Go / golang.org/x/crypto

Package

Name
golang.org/x/crypto
View open source insights on deps.dev
Purl
pkg:golang/golang.org/x/crypto

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20220525230936-793ad666bf5e

Ecosystem specific 

{
    "imports": [
        {
            "path": "golang.org/x/crypto/acme/autocert",
            "symbols": [
                "DirCache.Delete",
                "DirCache.Get",
                "DirCache.Put",
                "HostWhitelist",
                "Manager.GetCertificate",
                "Manager.Listener",
                "NewListener",
                "listener.Accept",
                "listener.Close"
            ],
            "goos": [
                "windows"
            ]
        }
    ]
}