Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-30636
Summary
The package golang.org/x/crypto and github.com/golang/crypto versions v0.0.0-20160816185256-f0e11a3ccc7e through v0.0.0-20220518034528-6f7dac969898 are vulnerable to Path Traversal Vulnerability. The param "httpTokenCacheKey" uses "path.Base" to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, "path.Base" acts differently to "filepath.Base", since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. ".well-known/acme-challenge/..\..\asd" becomes "..\..\asd". The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.
- HIGH
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-22 - Path Traversal
Path traversal (or directory traversal), is a vulnerability that allows malicious users to traverse the server's root directory, gaining access to arbitrary files and folders such as application code & data, back-end credentials, and sensitive operating system files. In the worst-case scenario, an attacker could potentially execute arbitrary files on the server, resulting in a denial of service attack. Such an exploit may severely impact the integrity, confidentiality, and availability of an application.
References
Advisory Timeline
- Published
