CVE-2022-30636 Limited directory traversal vulnerability on Windows in golang.org/x/crypto

2024-07-0219:51:46

github.com

vulnerability

windows

directory traversal

golang.org/x/crypto

limited

http-01 token

dircache

path separator

relative path

cache directory

arbitrary files

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

partial

JSON

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/…..\asd becomes …..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*"
    ],
    "vendor": "golang",
    "product": "crypto",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "0.0.0-20220525230936-793ad666bf5e",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]