{"containers":{"cna":{"providerMetadata":{"orgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","shortName":"Go","dateUpdated":"2023-06-12T19:05:24.713Z"},"title":"Failure to strip relative path components in net/url","descriptions":[{"lang":"en","value":"JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath(\"https://go.dev\", \"../go\") returns the URL \"https://go.dev/../go\", despite the JoinPath documentation stating that ../ path elements are removed from the result."}],"affected":[{"vendor":"Go standard library","product":"net/url","collectionURL":"https://pkg.go.dev","packageName":"net/url","versions":[{"version":"1.19.0-0","lessThan":"1.19.1","status":"affected","versionType":"semver"}],"programRoutines":[{"name":"URL.JoinPath"},{"name":"JoinPath"}],"defaultStatus":"unaffected"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}],"references":[{"url":"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s"},{"url":"https://go.dev/issue/54385"},{"url":"https://go.dev/cl/423514"},{"url":"https://pkg.go.dev/vuln/GO-2022-0988"}],"credits":[{"lang":"en","value":"@q0jt"}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T07:32:56.001Z"},"title":"CVE Program Container","references":[{"url":"https://groups.google.com/g/golang-announce/c/x49AQzIVX-s","tags":["x_transferred"]},{"url":"https://go.dev/issue/54385","tags":["x_transferred"]},{"url":"https://go.dev/cl/423514","tags":["x_transferred"]},{"url":"https://pkg.go.dev/vuln/GO-2022-0988","tags":["x_transferred"]}]}]},"cveMetadata":{"assignerOrgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","assignerShortName":"Go","cveId":"CVE-2022-32190","datePublished":"2022-09-13T17:08:57.000Z","dateReserved":"2022-05-31T00:00:00.000Z","dateUpdated":"2024-08-03T07:32:56.001Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}