VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-v1p3-dj9p-wkfy

Essentials
Severities (25)
References (6)
Severity details (6)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-v1p3-dj9p-wkfy
Aliases	CVE-2022-30636
Summary	httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.
Status	Published
Exploitability	0.5
Weighted Severity	6.0
Risk	3.0
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00105	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
epss	0.00198	https://api.first.org/data/v1/epss?cve=CVE-2022-30636
cvssv3.1	7.5	https://go.dev/cl/408694
ssvc	Track	https://go.dev/cl/408694
cvssv3.1	7.5	https://go.dev/issue/53082
ssvc	Track	https://go.dev/issue/53082
cvssv3.1	7.5	https://pkg.go.dev/vuln/GO-2024-2961
ssvc	Track	https://pkg.go.dev/vuln/GO-2024-2961

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2022-30636
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30636
408694		https://go.dev/cl/408694
53082		https://go.dev/issue/53082
CVE-2022-30636		https://nvd.nist.gov/vuln/detail/CVE-2022-30636
GO-2024-2961		https://pkg.go.dev/vuln/GO-2024-2961

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://go.dev/cl/408694

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:57:10Z/ Found at https://go.dev/cl/408694

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://go.dev/issue/53082

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:57:10Z/ Found at https://go.dev/issue/53082

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://pkg.go.dev/vuln/GO-2024-2961

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:57:10Z/ Found at https://pkg.go.dev/vuln/GO-2024-2961

Exploit Prediction Scoring System (EPSS)

Percentile	0.29266
EPSS Score	0.00105
Published At	Aug. 10, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:51:01.658307+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2022/30xxx/CVE-2022-30636.json	37.0.0