Bug 2203008 (CVE-2022-41722)
| Summary: | CVE-2022-41722 golang: path/filepath: path-filepath filepath.Clean path traversal | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abishop, alakatos, amasferr, amctagga, ansmith, aoconnor, apevec, asm, aveerama, bbaude, bbuckingham, bcl, bcourt, bdettelb, bniver, bodavis, chazlett, cwelton, davidn, dbenoit, debarshir, desktop-qa-list, dfreiber, dkenigsb, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, flucifre, gmeno, gparvin, grafana-maint, ibolton, jaharrin, jburrell, jcammara, jcantril, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, joelsmith, jpallich, jsherril, jwendell, lball, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mnewsome, mrajanna, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, ocs-bugs, opohorel, orabin, oramraz, osapryki, osbuilders, owatkins, pahickey, pcreech, pehunt, periklis, pjindal, pthomas, rcernich, rchan, rgarg, rhcos-sst, rhos-maint, rhuss, rjohnson, rogbas, rsroka, saroy, scorneli, scox, sfroberg, sgott, shbose, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, teagle, tjochec, tstellar, tsweeney, twalsh, ubhargav, umohnani, vereddy, vkumar, vrothber, whayutin, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Go 1.20.1, Go 1.19.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Go, where it could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests by the filepath.Clean on Windows package. This flaw allows an attacker to send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-31 01:13:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2169910 | ||
|
Description
Avinash Hanwate
2023-05-11 03:54:58 UTC
What version of Go is this fixed in? Also, I'm unable to get access to the embargoed CVE. Can you please update the Fixed In Version field of this bug. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3304 https://access.redhat.com/errata/RHSA-2023:3304 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41722 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3366 https://access.redhat.com/errata/RHSA-2023:3366 Hey Tom, sorry for the delay. The fixed versions are Go 1.20.1 & Go 1.19.6 removed openshift-golang-builder-container from affects to remove from CVE page (IBM is upset about it) also set `openshift`, `cri-tools`, `cri-o`, `containernetworking-plugins` and `conmon` as not affected due to same reason as #comment15 (https://redhat.service-now.com/surl.do?n=INC2921226) |