CVE-2022-41720 : On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.D

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

Published 2022-12-07 17:15:10

Updated 2025-04-23 16:15:25

Source Go Project

View at NVD, CVE.org

Products affected by CVE-2022-41720

Golang » GO
Versions from including (>=) 1.19.0 and before (<) 1.19.4
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Golang » GO
Versions before (<) 1.18.9
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2022-41720

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41720

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-04-23
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-41720

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-41720

https://go.dev/cl/455716

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows (I275b5fa3) · Gerrit Code Review
Patch;Vendor Advisory
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ

[security] Go 1.19.4 and Go 1.18.9 are released
Patch;Release Notes;Third Party Advisory

CVEs referencing this url
https://pkg.go.dev/vuln/GO-2022-1143

GO-2022-1143 - Go Packages
Patch;Vendor Advisory
https://go.dev/issue/56694

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows CVE-2022-41720 · Issue #56694 · golang/go · GitHub
Issue Tracking;Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-41720

Products affected by CVE-2022-41720

Exploit prediction scoring system (EPSS) score for CVE-2022-41720

CVSS scores for CVE-2022-41720

CWE ids for CVE-2022-41720

References for CVE-2022-41720