Search for vulnerabilities
Vulnerability details: VCID-v1p3-dj9p-wkfy
Vulnerability ID VCID-v1p3-dj9p-wkfy
Aliases CVE-2022-30636
Summary httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.
Status Published
Exploitability 0.5
Weighted Severity 6.0
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00105 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss 0.00198 https://api.first.org/data/v1/epss?cve=CVE-2022-30636
cvssv3.1 7.5 https://go.dev/cl/408694
ssvc Track https://go.dev/cl/408694
cvssv3.1 7.5 https://go.dev/issue/53082
ssvc Track https://go.dev/issue/53082
cvssv3.1 7.5 https://pkg.go.dev/vuln/GO-2024-2961
ssvc Track https://pkg.go.dev/vuln/GO-2024-2961
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-30636
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30636
408694 https://go.dev/cl/408694
53082 https://go.dev/issue/53082
CVE-2022-30636 https://nvd.nist.gov/vuln/detail/CVE-2022-30636
GO-2024-2961 https://pkg.go.dev/vuln/GO-2024-2961
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://go.dev/cl/408694
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:57:10Z/ Found at https://go.dev/cl/408694
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://go.dev/issue/53082
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:57:10Z/ Found at https://go.dev/issue/53082
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://pkg.go.dev/vuln/GO-2024-2961
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:57:10Z/ Found at https://pkg.go.dev/vuln/GO-2024-2961
Exploit Prediction Scoring System (EPSS)
Percentile 0.29266
EPSS Score 0.00105
Published At Aug. 10, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T09:51:01.658307+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/30xxx/CVE-2022-30636.json 37.0.0