CVE-2022-30636

Limited directory traversal vulnerability on Windows in golang.org/x/crypto

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

httpTokenCacheKey usa path.Base para extraer el valor del token HTTP-01 esperado para buscarlo en la implementación de DirCache. En Windows, path.Base actúa de manera diferente a filepath.Base, ya que Windows usa un separador de ruta diferente (\ vs. /), lo que permite al usuario proporcionar una ruta relativa, es decir, .well-known/acme-challenge/..\. .\asd se convierte en ..\..\asd. Luego, la ruta extraída tiene el sufijo +http-01, se une al directorio de caché y se abre. Dado que la ruta controlada tiene el sufijo +http-01 antes de abrirse, el impacto de esto es significativamente limitado, ya que solo permite leer archivos arbitrarios en el sistema si y solo si tienen este sufijo.

*Credits: Juho Nurminen of Mattermost

CVSS Scores

CISAv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-05-12 CVE Reserved
2024-07-02 CVE Published
2024-07-03 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://go.dev/cl/408694
https://go.dev/issue/53082
https://pkg.go.dev/vuln/GO-2024-2961

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang.org/x/crypto Search vendor "Golang.org/x/crypto"		Golang.org/x/crypto/acme/autocert Search vendor "Golang.org/x/crypto" for product "Golang.org/x/crypto/acme/autocert"				< 0.0.0-20220525230936-793ad666bf5e Search vendor "Golang.org/x/crypto" for product "Golang.org/x/crypto/acme/autocert" and version " < 0.0.0-20220525230936-793ad666bf5e"		en		Affected