NVD Vulnerability Detail

CVE-2023-45283

Summary	The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.
Publication Date	Nov. 10, 2023, 2:15 a.m.
Registration Date	Nov. 10, 2023, 10 a.m.
Last Update	Nov. 21, 2024, 5:26 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2023/12/05/2
2	http://www.openwall.com/lists/oss-security/2023/12/05/2
3	https://go.dev/cl/540277	Issue Tracking Vendor Advisory
4	https://go.dev/cl/540277	Issue Tracking Vendor Advisory
5	https://go.dev/cl/541175
6	https://go.dev/cl/541175
7	https://go.dev/issue/63713	Issue Tracking Vendor Advisory
8	https://go.dev/issue/63713	Issue Tracking Vendor Advisory
9	https://go.dev/issue/64028
10	https://go.dev/issue/64028
11	https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY	Issue Tracking Mailing List Vendor Advisory
12	https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY	Issue Tracking Mailing List Vendor Advisory
13	https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
14	https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
15	https://pkg.go.dev/vuln/GO-2023-2185	Issue Tracking Vendor Advisory
16	https://pkg.go.dev/vuln/GO-2023-2185	Issue Tracking Vendor Advisory
17	https://security.netapp.com/advisory/ntap-20231214-0008/
18	https://security.netapp.com/advisory/ntap-20231214-0008/

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

The Go Project の Go におけるパストラバーサルの脆弱性

Title	The Go Project の Go におけるパストラバーサルの脆弱性
Summary	The Go Project の Go には、パストラバーサルの脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Nov. 9, 2023, midnight
Registration Date	Jan. 9, 2024, 2:18 p.m.
Last Update	Jan. 9, 2024, 2:18 p.m.

Affected System

The Go Project

Go 1.20.11 未満

Go 1.21.0-0 以上 1.21.4 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2023-45283	https://www.cve.org/CVERecord?id=CVE-2023-45283
National Vulnerability Database (NVD)
2	CVE-2023-45283	https://nvd.nist.gov/vuln/detail/CVE-2023-45283

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

その他

No	Name	URL
関連文書
1	go.dev (cl/540277)	https://go.dev/cl/540277
2	go.dev (cl/541175)	https://go.dev/cl/541175
3	go.dev (issue/63713)	https://go.dev/issue/63713
4	go.dev (issue/64028)	https://go.dev/issue/64028
5	groups.google.com (4tU8LZfBFkY)	https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
6	groups.google.com (KmLVYH_uAgAJ)	https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
7	pkg.go.dev (GO-2023-2185)	https://pkg.go.dev/vuln/GO-2023-2185
8	security.netapp.com (ntap-20231214-0008)	https://security.netapp.com/advisory/ntap-20231214-0008/
9	www.openwall.com (oss-security/2023/12/05/2)	http://www.openwall.com/lists/oss-security/2023/12/05/2

Change Log

No	Changed Details	Date of change
1	[2024年01月09日] 掲載	Jan. 9, 2024, 2:17 p.m.