Lucene search

K
cve[email protected]CVE-2022-32190
HistorySep 13, 2022 - 6:15 p.m.

CVE-2022-32190

2022-09-1318:15:14
CWE-22
web.nvd.nist.gov
163
7
cve
2022
32190
joinpath
url.joinpath
path elements
security vulnerability
nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.3%

JoinPath and URL.JoinPath do not remove โ€ฆ/ path elements appended to a relative path. For example, JoinPath(โ€œhttps://go.devโ€, โ€œโ€ฆ/goโ€) returns the URL โ€œhttps://go.dev/../goโ€, despite the JoinPath documentation stating that โ€ฆ/ path elements are removed from the result.

Affected configurations

NVD
Node
golanggoMatch1.19.0-
OR
golanggoMatch1.19.0beta1
OR
golanggoMatch1.19.0rc1
OR
golanggoMatch1.19.0rc2
CPENameOperatorVersion
golang:gogolang goeq1.19.0

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "net/url",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "net/url",
    "versions": [
      {
        "version": "1.19.0-0",
        "lessThan": "1.19.1",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "URL.JoinPath"
      },
      {
        "name": "JoinPath"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Social References

More

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.3%