httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/…..\asd becomes …..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.
[
{
"vendor": "golang.org/x/crypto",
"product": "golang.org/x/crypto/acme/autocert",
"collectionURL": "https://pkg.go.dev",
"packageName": "golang.org/x/crypto/acme/autocert",
"versions": [
{
"version": "0",
"lessThan": "0.0.0-20220525230936-793ad666bf5e",
"status": "affected",
"versionType": "semver"
}
],
"platforms": [
"windows"
],
"programRoutines": [
{
"name": "DirCache.Get"
},
{
"name": "DirCache.Put"
},
{
"name": "DirCache.Delete"
},
{
"name": "HostWhitelist"
},
{
"name": "Manager.GetCertificate"
},
{
"name": "Manager.Listener"
},
{
"name": "NewListener"
},
{
"name": "listener.Accept"
},
{
"name": "listener.Close"
}
],
"defaultStatus": "unaffected"
}
]