Insecure parsing of Windows paths with a \??\ prefix in path/filepath
CVE-2023-45283

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Path/filepath; Internal/safefilepath
Vendor: CVE Published:; 9 November 2023

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2023-45283?

The filepath package in Go fails to handle paths with a ??\ prefix correctly, allowing access to arbitrary locations on Windows systems. Before the fix, paths such as ??\c:\x could be converted improperly, leading to potential security risks. The updates restore proper handling of these paths, ensuring that functions like Clean and Join do not inadvertently expose sensitive directories through incorrect path resolution.

Affected Version(s)

internal/safefilepath windows 0 < 1.20.11

internal/safefilepath windows 1.21.0-0 < 1.21.4

path/filepath windows 0 < 1.20.11

References

https://go.dev/issue/63713

https://go.dev/cl/540277

https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 9, 2023
Vulnerability Reserved
Oct 6, 2023