Relative Path Traversal

Overview std/path/filepath is a Go standard library package std/path/filepath Affected versions of this package are vulnerable to Relative Path Traversal. Go Vulnerability Report:The filepath package does not recognize paths with a ??\ prefix as special.On Windows, a path beginning with ??\ is a...

Rocky Linux 8 : container-tools:3.0 (RLSA-2022:7529)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7529 advisory. - Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if...

GHSA-6XV5-86Q9-7XR8 SecureJoin: on windows, paths outside of the rootfs could be inadvertently produced

Impact For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path to result in generated paths that were outside of...

SecureJoin: on windows, paths outside of the rootfs could be inadvertently produced

Impact For Windows users of github.com/cyphar/filepath-securejoin, until v0.2.4 it was possible for certain rootfs and path combinations in particular, where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs path to result in generated paths that were outside of...

Amazon Linux 2022 : golang, golang-bin, golang-misc (ALAS2022-2022-128)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-128 advisory. A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating chunked encoding. This issue could allow request smuggling, but only if combined with an...

Moderate: Red Hat Security Advisory: container-tools:4.0 security and bug fix update

An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for eac...

ALSA-2023:2758 Moderate: container-tools:rhel8 security, bug fix, and enhancement update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: net/http: improper sanitization of Transfer-Encoding header CVE-2022-1705 golang: go/parser: stack exhaustion in all Parse functions CVE-2022-1962 golang:...

RHEL 9 : git-lfs (RHSA-2023:2357)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:2357 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while...

Moderate: Red Hat Security Advisory: git-lfs security and bug fix update

An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

Amazon Linux 2023 : golist (ALAS2023-2023-046)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-046 advisory. 2023-05-11: CVE-2022-1996 has changed status to NOT AFFECTED for this package and has been removed from this advisory. A flaw was found in golang. The HTTP/1 client accepted invalid...

golang: path/filepath: stack exhaustion in Glob

A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability...

PT-2023-12208 · Unknown · Stoqey Gnuplot

Name of the Vulnerable Software and Affected Versions: Stoqey gnuplot versions 0.0.3 and earlier Description: An issue in Stoqey gnuplot allows attackers to execute arbitrary code via the src/index.ts, plotCallack, child process, and/or filePath parameters. Recommendations: For Stoqey gnuplot...

DEBIAN-CVE-2022-41722

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative if invalid path into an absolute path could enable a directory traversal...

AZL-13738 CVE-2022-41722 affecting package msft-golang for versions less than 1.19.8-1

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative if invalid path into an absolute path could enable a directory traversal...

AZL-47227 CVE-2022-41722 affecting package golang for versions less than 1.22.7-2

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative if invalid path into an absolute path could enable a directory traversal...

AZL-37449 CVE-2022-41722 affecting package golang for versions less than 1.21.6-1

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative if invalid path into an absolute path could enable a directory traversal...

AZL-37435 CVE-2022-41722 affecting package golang for versions less than 1.21.6-1

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative if invalid path into an absolute path could enable a directory traversal...

Fedora 37 : golang (2023-559bf2c9f3)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-559bf2c9f3 advisory. go1.19.6 released 2023-02-14 includes security fixes to the crypto/tls, mime/multipart, net/http, and path/filepath packages, as well as bug fixes to the go...

SUSE CVE-2022-41722

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative if invalid path into an absolute path could enable a directory traversal...

SUSE CVE-2015-5590

Stack-based buffer overflow in the pharfixfilepath function in ext/phar/phar.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large length value, as demonstrated by mishandling...