CVE-2022-30636 in x-cryptoИнформация

Сводка

по MITRE • 02.07.2024

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Резервировать

12.05.2022

Раскрытие

02.07.2024

Модерация

принято

Вход

VDB-270264

EPSS

0.00632

KEV

Нет

Деятельности

Очень низкий

Источники

Do you want to use VulDB in your project?

Use the official API to access entries easily!