Linux Distros Unpatched Vulnerability : CVE-2022-41720

🗓️ 05 Mar 2025 00:00:00Reported by TenableType

Linux hosts may have unpatched vulnerability CVE-2022-41720 affecting installed packages.

Reporter	Title	Published	Views	Family All 79
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Golang Go affect Cloud Pak System	2 Jan 202411:59	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of Golang Go, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities.	15 Sep 202305:47	–	ibm
AlpineLinux	CVE-2022-41720	7 Dec 202216:11	–	alpinelinux
Circl	CVE-2022-41720	7 Dec 202220:11	–	circl
CNNVD	Google Golang 路径遍历漏洞	7 Dec 202200:00	–	cnnvd
CVE	CVE-2022-41720	7 Dec 202216:11	–	cve
Cvelist	CVE-2022-41720 Restricted file access on Windows in os and net/http	7 Dec 202216:11	–	cvelist
ALT Linux	Security fix for the ALT Linux 10 package golang version 1.19.4-alt1	7 Dec 202200:00	–	altlinux
Debian CVE	CVE-2022-41720	7 Dec 202216:11	–	debiancve
Oracle linux	ol8addon security update	7 Mar 202300:00	–	oraclelinux

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2022-41720
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(225005);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/27");

  script_cve_id("CVE-2022-41720");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2022-41720");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir
    type provide access to a tree of files rooted at a given directory. These functions permit access to
    Windows device files under that root. For example, os.DirFS(C:/tmp).Open(COM1) opens the COM1 device.
    Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS
    for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the
    drive and access any path on the system. With fix applied, the behavior of os.DirFS() has changed.
    Previously, an empty root was treated equivalently to /, so os.DirFS().Open(tmp) would open the path
    /tmp. This now returns an error. (CVE-2022-41720)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-41720");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-41720");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/03/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-1.15");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("set_linux_os_id.nasl", "ssh_get_info2.nasl");
  script_require_keys("Host/OS/identifier", "Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched");
  script_require_ports("Host/OS/Debian Linux-11");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "golang-1.15"},
          {"reference": "golang-1.15-doc"},
          {"reference": "golang-1.15-go"},
          {"reference": "golang-1.15-src"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

27 Aug 2025 00:00Current

7.3High risk

Vulners AI Score7.3

CVSS 3.17.5

EPSS0.00035

SSVC