ALT-PU-2022-2036-1
Closed vulnerabilities
Modified: 2024-11-21
CVE-2022-29804
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.
- https://go.dev/cl/401595
- https://go.dev/cl/401595
- https://go.dev/issue/52476
- https://go.dev/issue/52476
- https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
- https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://pkg.go.dev/vuln/GO-2022-0533
- https://pkg.go.dev/vuln/GO-2022-0533
Modified: 2024-11-21
CVE-2022-30580
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
- https://go.dev/cl/403759
- https://go.dev/cl/403759
- https://go.dev/issue/52574
- https://go.dev/issue/52574
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
- https://go.googlesource.com/go/+/960ffa98ce73ef2c2060c84c7ac28d37a83f345e
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://pkg.go.dev/vuln/GO-2022-0532
- https://pkg.go.dev/vuln/GO-2022-0532
Modified: 2024-11-21
CVE-2022-30629
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
- https://go.dev/cl/405994
- https://go.dev/cl/405994
- https://go.dev/issue/52814
- https://go.dev/issue/52814
- https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5
- https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://pkg.go.dev/vuln/GO-2022-0531
- https://pkg.go.dev/vuln/GO-2022-0531
Modified: 2024-11-21
CVE-2022-30634
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
- https://go.dev/cl/402257
- https://go.dev/cl/402257
- https://go.dev/issue/52561
- https://go.dev/issue/52561
- https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863
- https://go.googlesource.com/go/+/bb1f4416180511231de6d17a1f2f55c82aafc863
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
- https://pkg.go.dev/vuln/GO-2022-0477
- https://pkg.go.dev/vuln/GO-2022-0477