CVE-2022-30636 - Vulnerability Details - OpenCVE

Description

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

Published: 2024-07-02

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

golang.org/x/crypto

golang.org/x/crypto/acme/autocert

unaffected

Version	Status	Constraints
`0`	affected	< 0.0.0-20220525230936-793ad666bf5e

No data.

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00189.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://go.dev/cl/408694
https://go.dev/issue/53082
https://pkg.go.dev/vuln/GO-2024-2961

History

Wed, 07 Aug 2024 18:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2024-07-02T19:51:46.635Z

Updated: 2024-08-07T16:21:06.868Z

Reserved: 2022-05-12T19:48:54.308Z

Link: CVE-2022-30636

Vulnrichment

Updated: 2024-08-03T06:56:13.171Z

NVD

Status : Deferred

Published: 2024-07-02T20:15:05.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2022-30636

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-30636", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-05-12T19:48:54.308Z", "datePublished": "2024-07-02T19:51:46.635Z", "dateUpdated": "2024-08-07T16:21:06.868Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-07-02T19:51:46.635Z"}, "title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto", "descriptions": [{"lang": "en", "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."}], "affected": [{"vendor": "golang.org/x/crypto", "product": "golang.org/x/crypto/acme/autocert", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/crypto/acme/autocert", "versions": [{"version": "0", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "status": "affected", "versionType": "semver"}], "platforms": ["windows"], "programRoutines": [{"name": "DirCache.Get"}, {"name": "DirCache.Put"}, {"name": "DirCache.Delete"}, {"name": "HostWhitelist"}, {"name": "Manager.GetCertificate"}, {"name": "Manager.Listener"}, {"name": "NewListener"}, {"name": "listener.Accept"}, {"name": "listener.Close"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "https://go.dev/cl/408694"}, {"url": "https://go.dev/issue/53082"}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961"}], "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:56:13.171Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/cl/408694", "tags": ["x_transferred"]}, {"url": "https://go.dev/issue/53082", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "golang", "product": "crypto", "cpes": ["cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T13:57:10.933970Z", "id": "CVE-2022-30636", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-07T16:21:06.868Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-30636", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-05-12T19:48:54.308Z", "datePublished": "2024-07-02T19:51:46.635Z", "dateUpdated": "2024-08-07T16:21:06.868Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-07-02T19:51:46.635Z"}, "title": "Limited directory traversal vulnerability on Windows in golang.org/x/crypto", "descriptions": [{"lang": "en", "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."}], "affected": [{"vendor": "golang.org/x/crypto", "product": "golang.org/x/crypto/acme/autocert", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/crypto/acme/autocert", "versions": [{"version": "0", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "status": "affected", "versionType": "semver"}], "platforms": ["windows"], "programRoutines": [{"name": "DirCache.Get"}, {"name": "DirCache.Put"}, {"name": "DirCache.Delete"}, {"name": "HostWhitelist"}, {"name": "Manager.GetCertificate"}, {"name": "Manager.Listener"}, {"name": "NewListener"}, {"name": "listener.Accept"}, {"name": "listener.Close"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "https://go.dev/cl/408694"}, {"url": "https://go.dev/issue/53082"}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961"}], "credits": [{"lang": "en", "value": "Juho Nurminen of Mattermost"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:56:13.171Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/cl/408694", "tags": ["x_transferred"]}, {"url": "https://go.dev/issue/53082", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2024-2961", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-30636", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T13:57:10.933970Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*"], "vendor": "golang", "product": "crypto", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.0-20220525230936-793ad666bf5e", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T14:04:06.511Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\\..\\asd becomes ..\\..\\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix."}, {"lang": "es", "value": "httpTokenCacheKey usa path.Base para extraer el valor del token HTTP-01 esperado para buscarlo en la implementaci\u00f3n de DirCache. En Windows, path.Base act\u00faa de manera diferente a filepath.Base, ya que Windows usa un separador de ruta diferente (\\ vs. /), lo que permite al usuario proporcionar una ruta relativa, es decir, .well-known/acme-challenge/..\\. .\\asd se convierte en ..\\..\\asd. Luego, la ruta extra\u00edda tiene el sufijo +http-01, se une al directorio de cach\u00e9 y se abre. Dado que la ruta controlada tiene el sufijo +http-01 antes de abrirse, el impacto de esto es significativamente limitado, ya que solo permite leer archivos arbitrarios en el sistema si y solo si tienen este sufijo."}], "id": "CVE-2022-30636", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-02T20:15:05.173", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/408694"}, {"source": "security@golang.org", "url": "https://go.dev/issue/53082"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2024-2961"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://go.dev/cl/408694"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://go.dev/issue/53082"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://pkg.go.dev/vuln/GO-2024-2961"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Deferred"}