httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/…..\asd becomes …..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.
[
{
"cpes": [
"cpe:2.3:a:golang:crypto:-:*:*:*:*:*:*:*"
],
"vendor": "golang",
"product": "crypto",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "0.0.0-20220525230936-793ad666bf5e",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]