Bugzilla – Bug 1203186
VUL-0: CVE-2022-32190: go1.19: net/url: JoinPath does not strip relative path components in all circumstances
Last modified: 2022-09-21 16:24:58 UTC
JoinPath and URL.JoinPath would not remove ../ path components appended to a relative path. For example, JoinPath("https://go.dev", "../go") returned the URL https://go.dev/../go, despite the JoinPath documentation stating that ../ path elements are cleaned from the result. Thanks to @q0jt for reporting this issue. This is CVE-2022-32190 and Go issue https://go.dev/issue/54385. net/url JoinPath() is new in go1.19. go1.18 and earlier are not affected.
This is an autogenerated message for OBS integration: This bug (1203186) was mentioned in https://build.opensuse.org/request/show/1001534 Factory / go1.19
SUSE-SU-2022:3326-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1200441,1203185,1203186 CVE References: CVE-2022-27664,CVE-2022-32190 JIRA References: Sources used: openSUSE Leap 15.4 (src): go1.19-1.19.1-150000.1.9.1 openSUSE Leap 15.3 (src): go1.19-1.19.1-150000.1.9.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): go1.19-1.19.1-150000.1.9.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): go1.19-1.19.1-150000.1.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.