GO-2024-2961

See a problem?

Source

https://pkg.go.dev/vuln/GO-2024-2961

Import Source

https://vuln.go.dev/ID/GO-2024-2961.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2961

Aliases

CVE-2022-30636

Published

2024-07-02T19:27:52Z

Modified

2024-07-02T19:57:24.068933Z

Summary

Limited directory traversal vulnerability on Windows in golang.org/x/crypto

Details

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/....\asd becomes ....\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened.

Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

References

Credits

- Juho Nurminen of Mattermost

Affected packages

Go / golang.org/x/crypto

Package

Name: golang.org/x/crypto; View open source insights on deps.dev
Purl: pkg:golang/golang.org/x/crypto

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20220525230936-793ad666bf5e

Ecosystem specific

{
    "imports": [
        {
            "path": "golang.org/x/crypto/acme/autocert",
            "symbols": [
                "DirCache.Delete",
                "DirCache.Get",
                "DirCache.Put",
                "HostWhitelist",
                "Manager.GetCertificate",
                "Manager.Listener",
                "NewListener",
                "listener.Accept",
                "listener.Close"
            ],
            "goos": [
                "windows"
            ]
        }
    ]
}