A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b". https://pkg.go.dev/vuln/GO-2023-1568 https://go.dev/cl/468123 https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E https://go.dev/issue/57274
What version of Go is this fixed in? Also, I'm unable to get access to the embargoed CVE. Can you please update the Fixed In Version field of this bug.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3304 https://access.redhat.com/errata/RHSA-2023:3304
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41722
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3366 https://access.redhat.com/errata/RHSA-2023:3366
Hey Tom, sorry for the delay. The fixed versions are Go 1.20.1 & Go 1.19.6
removed openshift-golang-builder-container from affects to remove from CVE page (IBM is upset about it) also set `openshift`, `cri-tools`, `cri-o`, `containernetworking-plugins` and `conmon` as not affected due to same reason as #comment15 (https://redhat.service-now.com/surl.do?n=INC2921226)