Bug 2124668 (CVE-2022-32190) - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
Summary: CVE-2022-32190 golang: net/url: JoinPath does not strip relative path compone...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2127941 2125778 2126657 2126658 2126660 2126662 2126663 2126664 2126665 2126666 2126667 2126668 2126669 2126670 2126671 2126672 2126673 2126674 2126675 2127942 2130146 2130147
Blocks: 2124673
TreeView+ depends on / blocked
 
Reported: 2022-09-06 18:03 UTC by TEJ RATHI
Modified: 2024-03-19 13:41 UTC (History)
153 users (show)

Fixed In Version: golang 1.19.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang package. The JoinPath doesn't remove the ../ path components appended to a domain that is not terminated by a slash, possibly leading to a directory traversal attack.
Clone Of:
Environment:
Last Closed: 2022-12-08 18:33:14 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:37:20 UTC
Red Hat Product Errata RHSA-2022:8634 0 None None None 2022-11-28 02:52:00 UTC
Red Hat Product Errata RHSA-2023:0264 0 None None None 2023-01-19 11:04:27 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:27:45 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:49 UTC
Red Hat Product Errata RHSA-2023:3204 0 None None None 2023-05-18 00:36:29 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:16 UTC
Red Hat Product Errata RHSA-2023:3613 0 None None None 2023-06-26 01:15:57 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:55 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:51:50 UTC
Red Hat Product Errata RHSA-2024:0485 0 None None None 2024-01-31 16:18:21 UTC

Description TEJ RATHI 2022-09-06 18:03:49 UTC
JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result.

References:
https://go.dev/issue/54385
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ

Upstream Commits:
Master : https://github.com/golang/go/commit/0765da5884adcc8b744979303a36a27092d8fc51
Branch.go1.19 : https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec

Comment 4 Avinash Hanwate 2022-09-14 08:24:34 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2126657]
Affects: fedora-all [bug 2126658]

Comment 12 errata-xmlrpc 2022-11-28 02:51:55 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:8634 https://access.redhat.com/errata/RHSA-2022:8634

Comment 15 Product Security DevOps Team 2022-12-08 18:33:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32190

Comment 18 errata-xmlrpc 2023-01-17 19:37:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399

Comment 19 errata-xmlrpc 2023-01-19 11:04:20 UTC
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264

Comment 21 errata-xmlrpc 2023-02-09 02:17:42 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693

Comment 22 errata-xmlrpc 2023-05-18 00:36:23 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204

Comment 23 errata-xmlrpc 2023-05-18 02:55:12 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205

Comment 24 errata-xmlrpc 2023-05-18 14:27:39 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584

Comment 25 errata-xmlrpc 2023-06-15 16:00:48 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642

Comment 26 errata-xmlrpc 2023-06-22 19:51:45 UTC
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742

Comment 27 errata-xmlrpc 2023-06-26 01:15:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613

Comment 29 errata-xmlrpc 2024-01-31 16:18:15 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0485 https://access.redhat.com/errata/RHSA-2024:0485


Note You need to log in before you can comment on or make changes to this bug.