Search for vulnerabilities
| Vulnerability ID | VCID-fezt-dkgy-aaae |
| Aliases |
CVE-2022-30636
|
| Summary | httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 0.0 |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| There are no known CWE. |
| Percentile | 0.16666 |
| EPSS Score | 0.00045 |
| Published At | Nov. 1, 2024, midnight |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2024-07-03T13:44:05.702979+00:00 | NVD Importer | Import | https://nvd.nist.gov/vuln/detail/CVE-2022-30636 | 34.0.0rc4 |