CVE-2022-41720 - Vulnerability Details

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Golang	Go
Microsoft	Windows

Configuration 1 [-]

AND

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://go.dev/cl/455716
https://go.dev/issue/56694
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
https://nvd.nist.gov/vuln/detail/CVE-2022-41720
https://pkg.go.dev/vuln/GO-2022-1143
https://www.cve.org/CVERecord?id=CVE-2022-41720

History

Wed, 23 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-12-07T16:11:18.867Z

Updated: 2025-04-23T15:43:46.208Z

Reserved: 2022-09-28T17:00:06.609Z

Link: CVE-2022-41720

Vulnrichment

Updated: 2024-08-03T12:49:43.510Z

NVD

Status : Modified

Published: 2022-12-07T17:15:10.293

Modified: 2025-04-23T16:15:25.373

Link: CVE-2022-41720

Redhat

Severity : Important

Publid Date: 2022-12-07T00:00:00Z

Links: CVE-2022-41720 - Bugzilla

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41720", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "requesterUserId": "7d08541a-cd0a-42e2-8f81-76e6ceb65fc3", "dateReserved": "2022-09-28T17:00:06.609Z", "datePublished": "2022-12-07T16:11:18.867Z", "dateUpdated": "2025-04-23T15:43:46.208Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:05:39.487Z"}, "title": "Restricted file access on Windows in os and net/http", "descriptions": [{"lang": "en", "value": "On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error."}], "affected": [{"vendor": "Go standard library", "product": "os", "collectionURL": "https://pkg.go.dev", "packageName": "os", "versions": [{"version": "0", "lessThan": "1.18.9", "status": "affected", "versionType": "semver"}, {"version": "1.19.0-0", "lessThan": "1.19.4", "status": "affected", "versionType": "semver"}], "platforms": ["windows"], "programRoutines": [{"name": "dirFS.Open"}, {"name": "dirFS.Stat"}, {"name": "DirFS"}], "defaultStatus": "unaffected"}, {"vendor": "Go standard library", "product": "net/http", "collectionURL": "https://pkg.go.dev", "packageName": "net/http", "versions": [{"version": "0", "lessThan": "1.18.9", "status": "affected", "versionType": "semver"}, {"version": "1.19.0-0", "lessThan": "1.19.4", "status": "affected", "versionType": "semver"}], "platforms": ["windows"], "programRoutines": [{"name": "Dir.Open"}, {"name": "ServeFile"}, {"name": "fileHandler.ServeHTTP"}, {"name": "fileTransport.RoundTrip"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "https://go.dev/issue/56694"}, {"url": "https://go.dev/cl/455716"}, {"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1143"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:49:43.510Z"}, "title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/56694", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/455716", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2022-1143", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:41:16.852650Z", "id": "CVE-2022-41720", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:43:46.208Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2022-41720 (string)

assignerOrgId : 1bb62c36-49e3-4200-9d77-64a1400537cc (string)

state : PUBLISHED (string)

assignerShortName : Go (string)

requesterUserId : 7d08541a-cd0a-42e2-8f81-76e6ceb65fc3 (string)

dateReserved : 2022-09-28T17:00:06.609Z (string)

datePublished : 2022-12-07T16:11:18.867Z (string)

dateUpdated : 2025-04-23T15:43:46.208Z (string)

}

containers : { »

cna : { »

providerMetadata : { »

orgId : 1bb62c36-49e3-4200-9d77-64a1400537cc (string)

shortName : Go (string)

dateUpdated : 2023-06-12T19:05:39.487Z (string)

}

title : Restricted file access on Windows in os and net/http (string)

descriptions : [ »

0 : { »

lang : en (string)

value : On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. (string)

}

]

affected : [ »

0 : { »

vendor : Go standard library (string)

product : os (string)

collectionURL : https://pkg.go.dev (string)

packageName : os (string)

versions : [ »

0 : { »

version : 0 (string)

lessThan : 1.18.9 (string)

status : affected (string)

versionType : semver (string)

}

1 : { »

version : 1.19.0-0 (string)

lessThan : 1.19.4 (string)

status : affected (string)

versionType : semver (string)

}

]

platforms : [ »

0 : windows (string)

]

programRoutines : [ »

0 : { »

name : dirFS.Open (string)

}

1 : { »

name : dirFS.Stat (string)

}

2 : { »

name : DirFS (string)

}

]

defaultStatus : unaffected (string)

}

1 : { »

vendor : Go standard library (string)

product : net/http (string)

collectionURL : https://pkg.go.dev (string)

packageName : net/http (string)

versions : [ »

0 : { »

version : 0 (string)

lessThan : 1.18.9 (string)

status : affected (string)

versionType : semver (string)

}

1 : { »

version : 1.19.0-0 (string)

lessThan : 1.19.4 (string)

status : affected (string)

versionType : semver (string)

}

]

platforms : [ »

0 : windows (string)

]

programRoutines : [ »

0 : { »

name : Dir.Open (string)

}

1 : { »

name : ServeFile (string)

}

2 : { »

name : fileHandler.ServeHTTP (string)

}

3 : { »

name : fileTransport.RoundTrip (string)

}

]

defaultStatus : unaffected (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

description : CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (string)

}

]

}

]

references : [ »

0 : { »

url : https://go.dev/issue/56694 (string)

}

1 : { »

url : https://go.dev/cl/455716 (string)

}

2 : { »

url : https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ (string)

}

3 : { »

url : https://pkg.go.dev/vuln/GO-2022-1143 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T12:49:43.510Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://go.dev/issue/56694 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://go.dev/cl/455716 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://pkg.go.dev/vuln/GO-2022-1143 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

1 : { »

metrics : [ »

0 : { »

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 7.5 (number)

attackVector : NETWORK (string)

baseSeverity : HIGH (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

integrityImpact : NONE (string)

userInteraction : NONE (string)

attackComplexity : LOW (string)

availabilityImpact : NONE (string)

privilegesRequired : NONE (string)

confidentialityImpact : HIGH (string)

}

1 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2025-04-23T15:41:16.852650Z (string)

id : CVE-2022-41720 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-04-23T15:43:46.208Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://go.dev/issue/56694", "tags": ["x_transferred"]}, {"url": "https://go.dev/cl/455716", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2022-1143", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:49:43.510Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-41720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:41:16.852650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:43:41.074Z"}}], "cna": {"title": "Restricted file access on Windows in os and net/http", "affected": [{"vendor": "Go standard library", "product": "os", "versions": [{"status": "affected", "version": "0", "lessThan": "1.18.9", "versionType": "semver"}, {"status": "affected", "version": "1.19.0-0", "lessThan": "1.19.4", "versionType": "semver"}], "platforms": ["windows"], "packageName": "os", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "dirFS.Open"}, {"name": "dirFS.Stat"}, {"name": "DirFS"}]}, {"vendor": "Go standard library", "product": "net/http", "versions": [{"status": "affected", "version": "0", "lessThan": "1.18.9", "versionType": "semver"}, {"status": "affected", "version": "1.19.0-0", "lessThan": "1.19.4", "versionType": "semver"}], "platforms": ["windows"], "packageName": "net/http", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "Dir.Open"}, {"name": "ServeFile"}, {"name": "fileHandler.ServeHTTP"}, {"name": "fileTransport.RoundTrip"}]}], "references": [{"url": "https://go.dev/issue/56694"}, {"url": "https://go.dev/cl/455716"}, {"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1143"}], "descriptions": [{"lang": "en", "value": "On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:05:39.487Z"}}}, "cveMetadata": {"cveId": "CVE-2022-41720", "state": "PUBLISHED", "dateUpdated": "2025-04-23T15:43:46.208Z", "dateReserved": "2022-09-28T17:00:06.609Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2022-12-07T16:11:18.867Z", "requesterUserId": "7d08541a-cd0a-42e2-8f81-76e6ceb65fc3", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://go.dev/issue/56694 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://go.dev/cl/455716 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://pkg.go.dev/vuln/GO-2022-1143 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T12:49:43.510Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

cvssV3_1 : { »

scope : UNCHANGED (string)

version : 3.1 (string)

baseScore : 7.5 (number)

attackVector : NETWORK (string)

baseSeverity : HIGH (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

integrityImpact : NONE (string)

userInteraction : NONE (string)

attackComplexity : LOW (string)

availabilityImpact : NONE (string)

privilegesRequired : NONE (string)

confidentialityImpact : HIGH (string)

}

1 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2022-41720 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2025-04-23T15:41:16.852650Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-04-23T15:43:41.074Z (string)

}

]

cna : { »

title : Restricted file access on Windows in os and net/http (string)

affected : [ »

0 : { »

vendor : Go standard library (string)

product : os (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.18.9 (string)

versionType : semver (string)

}

1 : { »

status : affected (string)

version : 1.19.0-0 (string)

lessThan : 1.19.4 (string)

versionType : semver (string)

}

]

platforms : [ »

0 : windows (string)

]

packageName : os (string)

collectionURL : https://pkg.go.dev (string)

defaultStatus : unaffected (string)

programRoutines : [ »

0 : { »

name : dirFS.Open (string)

}

1 : { »

name : dirFS.Stat (string)

}

2 : { »

name : DirFS (string)

}

]

}

1 : { »

vendor : Go standard library (string)

product : net/http (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.18.9 (string)

versionType : semver (string)

}

1 : { »

status : affected (string)

version : 1.19.0-0 (string)

lessThan : 1.19.4 (string)

versionType : semver (string)

}

]

platforms : [ »

0 : windows (string)

]

packageName : net/http (string)

collectionURL : https://pkg.go.dev (string)

defaultStatus : unaffected (string)

programRoutines : [ »

0 : { »

name : Dir.Open (string)

}

1 : { »

name : ServeFile (string)

}

2 : { »

name : fileHandler.ServeHTTP (string)

}

3 : { »

name : fileTransport.RoundTrip (string)

}

]

}

]

references : [ »

0 : { »

url : https://go.dev/issue/56694 (string)

}

1 : { »

url : https://go.dev/cl/455716 (string)

}

2 : { »

url : https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ (string)

}

3 : { »

url : https://pkg.go.dev/vuln/GO-2022-1143 (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

description : CWE 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (string)

}

]

}

]

providerMetadata : { »

orgId : 1bb62c36-49e3-4200-9d77-64a1400537cc (string)

shortName : Go (string)

dateUpdated : 2023-06-12T19:05:39.487Z (string)

}

cveMetadata : { »

cveId : CVE-2022-41720 (string)

state : PUBLISHED (string)

dateUpdated : 2025-04-23T15:43:46.208Z (string)

dateReserved : 2022-09-28T17:00:06.609Z (string)

assignerOrgId : 1bb62c36-49e3-4200-9d77-64a1400537cc (string)

datePublished : 2022-12-07T16:11:18.867Z (string)

requesterUserId : 7d08541a-cd0a-42e2-8f81-76e6ceb65fc3 (string)

assignerShortName : Go (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0CD51B1-029E-442F-BE6A-772F4754D240", "versionEndExcluding": "1.18.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6AEBFD1-DEE2-40E0-B65C-8C7885014797", "versionEndExcluding": "1.19.4", "versionStartIncluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error."}, {"lang": "es", "value": "En Windows, se puede acceder a archivos restringidos a trav\u00e9s de os.DirFS y http.Dir. La funci\u00f3n os.DirFS y el tipo http.Dir brindan acceso a un \u00e1rbol de archivos ubicados en un directorio determinado. Estas funciones permiten el acceso a archivos de dispositivos Windows bajo esa ra\u00edz. Por ejemplo, os.DirFS(\"C:/tmp\").Open(\"COM1\") abre el dispositivo COM1. Tanto os.DirFS como http.Dir solo brindan acceso al sistema de archivos de solo lectura. Adem\u00e1s, en Windows, un os.DirFS para el directorio (la ra\u00edz de la unidad actual) puede permitir que una ruta creada con fines malintencionados escape de la unidad y acceda a cualquier ruta del sistema. Con la correcci\u00f3n aplicada, el comportamiento de os.DirFS(\"\") ha cambiado. Anteriormente, una ra\u00edz vac\u00eda se trataba de manera equivalente a \"/\", por lo que os.DirFS(\"\").Open(\"tmp\") abrir\u00eda la ruta \"/tmp\". Esto ahora devuelve un error."}], "id": "CVE-2022-41720", "lastModified": "2025-04-23T16:15:25.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-07T17:15:10.293", "references": [{"source": "security@golang.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://go.dev/cl/455716"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://go.dev/issue/56694"}, {"source": "security@golang.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"}, {"source": "security@golang.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-1143"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://go.dev/cl/455716"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://go.dev/issue/56694"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-1143"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* (string)

matchCriteriaId : E0CD51B1-029E-442F-BE6A-772F4754D240 (string)

versionEndExcluding : 1.18.9 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* (string)

matchCriteriaId : B6AEBFD1-DEE2-40E0-B65C-8C7885014797 (string)

versionEndExcluding : 1.19.4 (string)

versionStartIncluding : 1.19.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

1 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* (string)

matchCriteriaId : A2572D17-1DE6-457B-99CC-64AFD54487EA (string)

vulnerable : false (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

operator : AND (string)

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

}

1 : { »

lang : es (string)

value : En Windows, se puede acceder a archivos restringidos a través de os.DirFS y http.Dir. La función os.DirFS y el tipo http.Dir brindan acceso a un árbol de archivos ubicados en un directorio determinado. Estas funciones permiten el acceso a archivos de dispositivos Windows bajo esa raíz. Por ejemplo, os.DirFS("C:/tmp").Open("COM1") abre el dispositivo COM1. Tanto os.DirFS como http.Dir solo brindan acceso al sistema de archivos de solo lectura. Además, en Windows, un os.DirFS para el directorio (la raíz de la unidad actual) puede permitir que una ruta creada con fines malintencionados escape de la unidad y acceda a cualquier ruta del sistema. Con la corrección aplicada, el comportamiento de os.DirFS("") ha cambiado. Anteriormente, una raíz vacía se trataba de manera equivalente a "/", por lo que os.DirFS("").Open("tmp") abriría la ruta "/tmp". Esto ahora devuelve un error. (string)

}

]

id : CVE-2022-41720 (string)

lastModified : 2025-04-23T16:15:25.373 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

1 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

type : Secondary (string)

}

]

}

published : 2022-12-07T17:15:10.293 (string)

references : [ »

0 : { »

source : security@golang.org (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://go.dev/cl/455716 (string)

}

1 : { »

source : security@golang.org (string)

tags : [ »

0 : Issue Tracking (string)

1 : Vendor Advisory (string)

]

url : https://go.dev/issue/56694 (string)

}

2 : { »

source : security@golang.org (string)

tags : [ »

0 : Patch (string)

1 : Release Notes (string)

2 : Third Party Advisory (string)

]

url : https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ (string)

}

3 : { »

source : security@golang.org (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://pkg.go.dev/vuln/GO-2022-1143 (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://go.dev/cl/455716 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Issue Tracking (string)

1 : Vendor Advisory (string)

]

url : https://go.dev/issue/56694 (string)

}

6 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Release Notes (string)

2 : Third Party Advisory (string)

]

url : https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ (string)

}

7 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://pkg.go.dev/vuln/GO-2022-1143 (string)

}

]

sourceIdentifier : security@golang.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-22 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows", "id": "2161271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161271"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error.", "A flaw was found in OS, net/http golang library. In Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted in a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS(\"C:/tmp\").Open(\"COM1\") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With the fix applied, the behavior of os.DirFS(\"\") has changed. Previously, an empty root was treated equivalently to \"/\", so os.DirFS(\"\").Open(\"tmp\") would open the path \"/tmp\". This now returns an error."], "name": "CVE-2022-41720", "package_state": [{"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Not affected", "package_name": "cert-manager/cert-manager-operator-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Not affected", "package_name": "cryostat-tech-preview/cryostat-rhel8-operator", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Not affected", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/logging-loki-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Not affected", "package_name": "mta/mta-hub-rhel8", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Not affected", "package_name": "rhmtc/openshift-velero-plugin-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Not affected", "package_name": "migration-toolkit-virtualization/mtv-controller-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Not affected", "package_name": "workload-availability/node-healthcheck-rhel8-operator", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_nmo:5", "fix_state": "Not affected", "package_name": "workload-availability/node-maintenance-rhel8-operator", "product_name": "Node Maintenance Operator"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Not affected", "package_name": "oadp/oadp-velero-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "helm", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Not affected", "package_name": "odo", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Not affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_secondary_scheduler:1", "fix_state": "Not affected", "package_name": "openshift-secondary-scheduler-operator/secondary-scheduler-rhel9-operator", "product_name": "OpenShift Secondary Scheduler Operator"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Not affected", "package_name": "3scale-operator-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/subctl-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "receptor", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:application_interconnect:1", "fix_state": "Affected", "impact": "low", "package_name": "skupper-cli", "product_name": "Red Hat Application Interconnect 1.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Not affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Not affected", "package_name": "go-toolset-1.19-golang", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:3.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:3.0/containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:3.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:3.0/skopeo", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:3.0/toolbox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/conmon", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/skopeo", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:4.0/toolbox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/skopeo", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "container-tools:rhel8/toolbox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "go-toolset:rhel8/go-toolset", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "butane", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "conmon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "go-toolset", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "ignition", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "toolbox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "butane", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "conmon", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "containernetworking-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ignition", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "microshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "skopeo", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "mcg", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/cephcsi-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-1/gitops-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Not affected", "package_name": "openshift-gitops-kam", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Not affected", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Not affected", "package_name": "openshift-sandboxed-containers/osc-rhel8-operator", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "container-native-virtualization/virt-api", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Not affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "collectd-libpod-stats", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "rhosp-rhel8/osp-director-agent", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "collectd-libpod-stats", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/clair-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "foreman_ygg_worker", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/yggdrasil-worker-forwarder", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "yggdrasil", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "yggdrasil-worker-forwarder", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "go-toolset-7-golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:webterminal:1", "fix_state": "Not affected", "package_name": "web-terminal-exec-container", "product_name": "Red Hat Web Terminal"}, {"cpe": "cpe:/a:redhat:workload_availability_self_node_remediation", "fix_state": "Not affected", "package_name": "workload-availability/self-node-remediation-rhel8-operator", "product_name": "Self Node Remediation Operator"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.4::el8", "fix_state": "Not affected", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.4 for RHEL 8"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "fix_state": "Affected", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.5 for RHEL 8"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "golang-github-danielqsj-kafka_exporter", "product_name": "streams for Apache Kafka"}], "public_date": "2022-12-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-41720\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41720\nhttps://go.dev/cl/455716\nhttps://go.dev/issue/56694\nhttps://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ\nhttps://pkg.go.dev/vuln/GO-2022-1143"], "threat_severity": "Important"}

{

bugzilla : { »

description : golang: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows (string)

id : 2161271 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2161271 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.5 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (string)

status : draft (string)

}

cwe : CWE-22 (string)

details : [ »

0 : On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. (string)

1 : A flaw was found in OS, net/http golang library. In Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted in a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With the fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. (string)

]

name : CVE-2022-41720 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:cert_manager:1 (string)

fix_state : Not affected (string)

package_name : cert-manager/cert-manager-operator-rhel9 (string)

product_name : cert-manager Operator for Red Hat OpenShift (string)

}

1 : { »

cpe : cpe:/a:redhat:cryostat:2 (string)

fix_state : Not affected (string)

package_name : cryostat-tech-preview/cryostat-rhel8-operator (string)

product_name : Cryostat 2 (string)

}

2 : { »

cpe : cpe:/a:redhat:openshift_custom_metrics_autoscaler:2 (string)

fix_state : Not affected (string)

package_name : custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 (string)

product_name : Custom Metric Autoscaler operator for Red Hat Openshift (string)

}

3 : { »

cpe : cpe:/a:redhat:logging:5 (string)

fix_state : Not affected (string)

package_name : openshift-logging/logging-loki-rhel8 (string)

product_name : Logging Subsystem for Red Hat OpenShift (string)

}

4 : { »

cpe : cpe:/a:redhat:migration_toolkit_applications:6 (string)

fix_state : Not affected (string)

package_name : mta/mta-hub-rhel8 (string)

product_name : Migration Toolkit for Applications 6 (string)

}

5 : { »

cpe : cpe:/a:redhat:rhmt (string)

fix_state : Not affected (string)

package_name : rhmtc/openshift-velero-plugin-rhel8 (string)

product_name : Migration Toolkit for Containers (string)

}

6 : { »

cpe : cpe:/a:redhat:migration_toolkit_virtualization:2 (string)

fix_state : Not affected (string)

package_name : migration-toolkit-virtualization/mtv-controller-rhel9 (string)

product_name : Migration Toolkit for Virtualization (string)

}

7 : { »

cpe : cpe:/a:redhat:workload_availability_node_healthcheck (string)

fix_state : Not affected (string)

package_name : workload-availability/node-healthcheck-rhel8-operator (string)

product_name : Node HealthCheck Operator (string)

}

8 : { »

cpe : cpe:/a:redhat:workload_availability_nmo:5 (string)

fix_state : Not affected (string)

package_name : workload-availability/node-maintenance-rhel8-operator (string)

product_name : Node Maintenance Operator (string)

}

9 : { »

cpe : cpe:/a:redhat:openshift_api_data_protection:1 (string)

fix_state : Not affected (string)

package_name : oadp/oadp-velero-rhel8 (string)

product_name : OpenShift API for Data Protection (string)

}

10 : { »

cpe : cpe:/a:redhat:ocp_tools (string)

fix_state : Not affected (string)

package_name : helm (string)

product_name : OpenShift Developer Tools and Services (string)

}

11 : { »

cpe : cpe:/a:redhat:ocp_tools (string)

fix_state : Not affected (string)

package_name : ocp-tools-4/jenkins-rhel8 (string)

product_name : OpenShift Developer Tools and Services (string)

}

12 : { »

cpe : cpe:/a:redhat:ocp_tools (string)

fix_state : Not affected (string)

package_name : odo (string)

product_name : OpenShift Developer Tools and Services (string)

}

13 : { »

cpe : cpe:/a:redhat:openshift_pipelines:1 (string)

fix_state : Not affected (string)

package_name : openshift-pipelines-client (string)

product_name : OpenShift Pipelines (string)

}

14 : { »

cpe : cpe:/a:redhat:openshift_secondary_scheduler:1 (string)

fix_state : Not affected (string)

package_name : openshift-secondary-scheduler-operator/secondary-scheduler-rhel9-operator (string)

product_name : OpenShift Secondary Scheduler Operator (string)

}

15 : { »

cpe : cpe:/a:redhat:serverless:1 (string)

fix_state : Not affected (string)

package_name : openshift-serverless-1/client-kn-rhel8 (string)

product_name : OpenShift Serverless (string)

}

16 : { »

cpe : cpe:/a:redhat:serverless:1 (string)

fix_state : Not affected (string)

package_name : openshift-serverless-clients (string)

product_name : OpenShift Serverless (string)

}

17 : { »

cpe : cpe:/a:redhat:service_mesh:2 (string)

fix_state : Not affected (string)

package_name : openshift-golang-builder-container (string)

product_name : OpenShift Service Mesh 2 (string)

}

18 : { »

cpe : cpe:/a:redhat:red_hat_3scale_amp:2 (string)

fix_state : Not affected (string)

package_name : 3scale-operator-container (string)

product_name : Red Hat 3scale API Management Platform 2 (string)

}

19 : { »

cpe : cpe:/a:redhat:acm:2 (string)

fix_state : Not affected (string)

package_name : rhacm2/subctl-rhel9 (string)

product_name : Red Hat Advanced Cluster Management for Kubernetes 2 (string)

}

20 : { »

cpe : cpe:/a:redhat:advanced_cluster_security:3 (string)

fix_state : Not affected (string)

package_name : advanced-cluster-security/rhacs-main-rhel8 (string)

product_name : Red Hat Advanced Cluster Security 3 (string)

}

21 : { »

cpe : cpe:/a:redhat:ansible_automation_platform:2 (string)

fix_state : Not affected (string)

package_name : openshift-clients (string)

product_name : Red Hat Ansible Automation Platform 2 (string)

}

22 : { »

cpe : cpe:/a:redhat:ansible_automation_platform:2 (string)

fix_state : Not affected (string)

package_name : receptor (string)

product_name : Red Hat Ansible Automation Platform 2 (string)

}

23 : { »

cpe : cpe:/a:redhat:application_interconnect:1 (string)

fix_state : Affected (string)

impact : low (string)

package_name : skupper-cli (string)

product_name : Red Hat Application Interconnect 1.0 (string)

}

24 : { »

cpe : cpe:/a:redhat:ceph_storage:3 (string)

fix_state : Not affected (string)

package_name : golang (string)

product_name : Red Hat Ceph Storage 3 (string)

}

25 : { »

cpe : cpe:/a:redhat:ceph_storage:5 (string)

fix_state : Not affected (string)

package_name : rhceph/rhceph-5-dashboard-rhel8 (string)

product_name : Red Hat Ceph Storage 5 (string)

}

26 : { »

cpe : cpe:/a:redhat:devtools: (string)

fix_state : Not affected (string)

package_name : go-toolset-1.19-golang (string)

product_name : Red Hat Developer Tools (string)

}

27 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:3.0/buildah (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

28 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:3.0/containernetworking-plugins (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

29 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:3.0/podman (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

30 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:3.0/skopeo (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

31 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:3.0/toolbox (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

32 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:4.0/buildah (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

33 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:4.0/conmon (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

34 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:4.0/containernetworking-plugins (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

35 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:4.0/podman (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

36 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:4.0/skopeo (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

37 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:4.0/toolbox (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

38 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:rhel8/buildah (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

39 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:rhel8/containernetworking-plugins (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

40 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:rhel8/podman (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

41 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:rhel8/skopeo (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

42 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : container-tools:rhel8/toolbox (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

43 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : git-lfs (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

44 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : go-toolset:rhel8/golang (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

45 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : go-toolset:rhel8/go-toolset (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

46 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : grafana (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

47 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : grafana-pcp (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

48 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : osbuild-composer (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

49 : { »

cpe : cpe:/o:redhat:enterprise_linux:8 (string)

fix_state : Not affected (string)

package_name : weldr-client (string)

product_name : Red Hat Enterprise Linux 8 (string)

}

50 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : buildah (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

51 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : butane (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

52 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : conmon (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

53 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : containernetworking-plugins (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

54 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : git-lfs (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

55 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : golang (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

56 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : go-toolset (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

57 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : grafana (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

58 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : grafana-pcp (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

59 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : ignition (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

60 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : osbuild-composer (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

61 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : podman (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

62 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : skopeo (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

63 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : toolbox (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

64 : { »

cpe : cpe:/o:redhat:enterprise_linux:9 (string)

fix_state : Not affected (string)

package_name : weldr-client (string)

product_name : Red Hat Enterprise Linux 9 (string)

}

65 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : buildah (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

66 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : butane (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

67 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : conmon (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

68 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : containernetworking-plugins (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

69 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : cri-o (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

70 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : cri-tools (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

71 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : ignition (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

72 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : microshift (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

73 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : openshift (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

74 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : openshift-clients (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

75 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : openshift-golang-builder-container (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

76 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : podman (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

77 : { »

cpe : cpe:/a:redhat:openshift:4 (string)

fix_state : Not affected (string)

package_name : skopeo (string)

product_name : Red Hat OpenShift Container Platform 4 (string)

}

78 : { »

cpe : cpe:/a:redhat:openshift_data_foundation:4 (string)

fix_state : Not affected (string)

package_name : mcg (string)

product_name : Red Hat Openshift Data Foundation 4 (string)

}

79 : { »

cpe : cpe:/a:redhat:openshift_data_foundation:4 (string)

fix_state : Not affected (string)

package_name : odf4/cephcsi-rhel9 (string)

product_name : Red Hat Openshift Data Foundation 4 (string)

}

80 : { »

cpe : cpe:/a:redhat:openshift_devspaces:3: (string)

fix_state : Not affected (string)

package_name : devspaces/udi-rhel8 (string)

product_name : Red Hat OpenShift Dev Spaces (string)

}

81 : { »

cpe : cpe:/a:redhat:openshift_distributed_tracing:2 (string)

fix_state : Not affected (string)

package_name : rhosdt/jaeger-agent-rhel8 (string)

product_name : Red Hat OpenShift distributed tracing 2 (string)

}

82 : { »

cpe : cpe:/a:redhat:openshift_gitops:1 (string)

fix_state : Not affected (string)

package_name : openshift-gitops-1/gitops-rhel8 (string)

product_name : Red Hat OpenShift GitOps (string)

}

83 : { »

cpe : cpe:/a:redhat:openshift_gitops:1 (string)

fix_state : Not affected (string)

package_name : openshift-gitops-kam (string)

product_name : Red Hat OpenShift GitOps (string)

}

84 : { »

cpe : cpe:/a:redhat:openshift_service_on_aws:1 (string)

fix_state : Not affected (string)

package_name : rosa (string)

product_name : Red Hat OpenShift on AWS (string)

}

85 : { »

cpe : cpe:/a:redhat:openshift_sandboxed_containers:1 (string)

fix_state : Not affected (string)

package_name : openshift-sandboxed-containers/osc-rhel8-operator (string)

product_name : Red Hat Openshift Sandboxed Containers (string)

}

86 : { »

cpe : cpe:/a:redhat:container_native_virtualization:4 (string)

fix_state : Not affected (string)

package_name : container-native-virtualization/virt-api (string)

product_name : Red Hat OpenShift Virtualization 4 (string)

}

87 : { »

cpe : cpe:/a:redhat:container_native_virtualization:4 (string)

fix_state : Not affected (string)

package_name : kubevirt (string)

product_name : Red Hat OpenShift Virtualization 4 (string)

}

88 : { »

cpe : cpe:/a:redhat:openstack:16.2 (string)

fix_state : Not affected (string)

package_name : collectd-libpod-stats (string)

product_name : Red Hat OpenStack Platform 16.2 (string)

}

89 : { »

cpe : cpe:/a:redhat:openstack:16.2 (string)

fix_state : Not affected (string)

package_name : etcd (string)

product_name : Red Hat OpenStack Platform 16.2 (string)

}

90 : { »

cpe : cpe:/a:redhat:openstack:16.2 (string)

fix_state : Not affected (string)

package_name : golang-github-infrawatch-apputils (string)

product_name : Red Hat OpenStack Platform 16.2 (string)

}

91 : { »

cpe : cpe:/a:redhat:openstack:16.2 (string)

fix_state : Not affected (string)

package_name : rhosp-rhel8/osp-director-agent (string)

product_name : Red Hat OpenStack Platform 16.2 (string)

}

92 : { »

cpe : cpe:/a:redhat:openstack:17.0 (string)

fix_state : Not affected (string)

package_name : collectd-libpod-stats (string)

product_name : Red Hat OpenStack Platform 17.0 (string)

}

93 : { »

cpe : cpe:/a:redhat:openstack:17.0 (string)

fix_state : Not affected (string)

package_name : golang-github-infrawatch-apputils (string)

product_name : Red Hat OpenStack Platform 17.0 (string)

}

94 : { »

cpe : cpe:/a:redhat:quay:3 (string)

fix_state : Not affected (string)

package_name : quay/clair-rhel8 (string)

product_name : Red Hat Quay 3 (string)

}

95 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : foreman_ygg_worker (string)

product_name : Red Hat Satellite 6 (string)

}

96 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : satellite:el8/yggdrasil-worker-forwarder (string)

product_name : Red Hat Satellite 6 (string)

}

97 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : yggdrasil (string)

product_name : Red Hat Satellite 6 (string)

}

98 : { »

cpe : cpe:/a:redhat:satellite:6 (string)

fix_state : Not affected (string)

package_name : yggdrasil-worker-forwarder (string)

product_name : Red Hat Satellite 6 (string)

}

99 : { »

cpe : cpe:/a:redhat:storage:3 (string)

fix_state : Not affected (string)

package_name : golang (string)

product_name : Red Hat Storage 3 (string)

}

100 : { »

cpe : cpe:/a:redhat:storage:3 (string)

fix_state : Not affected (string)

package_name : go-toolset-7-golang (string)

product_name : Red Hat Storage 3 (string)

}

101 : { »

cpe : cpe:/a:redhat:storage:3 (string)

fix_state : Not affected (string)

package_name : heketi (string)

product_name : Red Hat Storage 3 (string)

}

102 : { »

cpe : cpe:/a:redhat:webterminal:1 (string)

fix_state : Not affected (string)

package_name : web-terminal-exec-container (string)

product_name : Red Hat Web Terminal (string)

}

103 : { »

cpe : cpe:/a:redhat:workload_availability_self_node_remediation (string)

fix_state : Not affected (string)

package_name : workload-availability/self-node-remediation-rhel8-operator (string)

product_name : Self Node Remediation Operator (string)

}

104 : { »

cpe : cpe:/a:redhat:service_telemetry_framework:1.4::el8 (string)

fix_state : Not affected (string)

package_name : stf/sg-core-rhel8 (string)

product_name : Service Telemetry Framework 1.4 for RHEL 8 (string)

}

105 : { »

cpe : cpe:/a:redhat:service_telemetry_framework:1.5::el8 (string)

fix_state : Affected (string)

package_name : stf/sg-core-rhel8 (string)

product_name : Service Telemetry Framework 1.5 for RHEL 8 (string)

}

106 : { »

cpe : cpe:/a:redhat:amq_streams:1 (string)

fix_state : Not affected (string)

package_name : golang-github-danielqsj-kafka_exporter (string)

product_name : streams for Apache Kafka (string)

}

]

public_date : 2022-12-07T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2022-41720 https://nvd.nist.gov/vuln/detail/CVE-2022-41720 https://go.dev/cl/455716 https://go.dev/issue/56694 https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ https://pkg.go.dev/vuln/GO-2022-1143 (string)

]

threat_severity : Important (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object