CVE-2022-30636 - Vulnerability Details - OpenCVE

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00189.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://go.dev/cl/408694
https://go.dev/issue/53082
https://pkg.go.dev/vuln/GO-2024-2961

History

Wed, 07 Aug 2024 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2024-07-02T19:51:46.635Z

Updated: 2024-08-07T16:21:06.868Z

Reserved: 2022-05-12T19:48:54.308Z

Link: CVE-2022-30636

Vulnrichment

Updated: 2024-08-03T06:56:13.171Z

NVD

Status : Deferred

Published: 2024-07-02T20:15:05.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2022-30636

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-30636", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-05-12T19:48:54.308Z", "datePublished": "2024-07-02T19:51:46.635Z", "dateUpdated": "2024-08-07T16:21:06.868Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-07-02T19:51:46.635Z"}, "title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto", "descriptions": [{"lang": "en", "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."}], "affected": [{"vendor": "golang.org/x/crypto", "product": "golang.org/x/crypto/acme/autocert", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/crypto/acme/autocert", "versions": [{"version": "0", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "status": "affected", "versionType": "semver"}], "platforms": ["windows"], "programRoutines": [{"name": "DirCache.Get"}, {"name": "DirCache.Put"}, {"name": "DirCache.Delete"}, {"name": "HostWhitelist"}, {"name": "Manager.GetCertificate"}, {"name": "Manager.Listener"}, {"name": "NewListener"}, {"name": "listener.Accept"}, {"name": "listener.Close"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "https://go.dev/cl/408694"}, {"url": "https://go.dev/issue/53082"}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961"}], "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:56:13.171Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/cl/408694", "tags": ["x_transferred"]}, {"url": "https://go.dev/issue/53082", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "golang", "product": "crypto", "cpes": ["cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T13:57:10.933970Z", "id": "CVE-2022-30636", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T16:21:06.868Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-30636", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-05-12T19:48:54.308Z", "datePublished": "2024-07-02T19:51:46.635Z", "dateUpdated": "2024-08-07T16:21:06.868Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-07-02T19:51:46.635Z"}, "title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto", "descriptions": [{"lang": "en", "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."}], "affected": [{"vendor": "golang.org/x/crypto", "product": "golang.org/x/crypto/acme/autocert", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/crypto/acme/autocert", "versions": [{"version": "0", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "status": "affected", "versionType": "semver"}], "platforms": ["windows"], "programRoutines": [{"name": "DirCache.Get"}, {"name": "DirCache.Put"}, {"name": "DirCache.Delete"}, {"name": "HostWhitelist"}, {"name": "Manager.GetCertificate"}, {"name": "Manager.Listener"}, {"name": "NewListener"}, {"name": "listener.Accept"}, {"name": "listener.Close"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "https://go.dev/cl/408694"}, {"url": "https://go.dev/issue/53082"}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961"}], "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:56:13.171Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/cl/408694", "tags": ["x_transferred"]}, {"url": "https://go.dev/issue/53082", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-30636", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T13:57:10.933970Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*"], "vendor": "golang", "product": "crypto", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T14:04:06.511Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."}, {"lang": "es", "value": "httpTokenCacheKey usa path.Base para extraer el valor del token HTTP-01 esperado para buscarlo en la implementaci\u00f3n de DirCache. En Windows, path.Base act\u00faa de manera diferente a filepath.Base, ya que Windows usa un separador de ruta diferente (\\ vs. /), lo que permite al usuario proporcionar una ruta relativa, es decir, .well-known/acme-challenge/..\\. .\\asd se convierte en ..\\..\\asd. Luego, la ruta extra\u00edda tiene el sufijo +http-01, se une al directorio de cach\u00e9 y se abre. Dado que la ruta controlada tiene el sufijo +http-01 antes de abrirse, el impacto de esto es significativamente limitado, ya que solo permite leer archivos arbitrarios en el sistema si y solo si tienen este sufijo."}], "id": "CVE-2022-30636", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-02T20:15:05.173", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/408694"}, {"source": "security@golang.org", "url": "https://go.dev/issue/53082"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2024-2961"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://go.dev/cl/408694"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://go.dev/issue/53082"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://pkg.go.dev/vuln/GO-2024-2961"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Deferred"}