VulnerableCode Package Details - pkg:deb/debian/golang-go.crypto@1:0.0~git20220829.c86fa9a-1?distro=trixie

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/golang-go.crypto@1:0.0~git20220829.c86fa9a-1?distro=trixie

purl	pkg:deb/debian/golang-go.crypto@1:0.0~git20220829.c86fa9a-1?distro=trixie

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-et4d-ak3r-1bfa	httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.	CVE-2022-30636

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T07:25:46.132676+00:00	Debian Importer	Fixing	VCID-et4d-ak3r-1bfa	https://security-tracker.debian.org/tracker/data/json	38.1.0