CVE - CVE-2023-45283

CVE-ID
CVE-2023-45283	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20231214-0008/ MISC:http://www.openwall.com/lists/oss-security/2023/12/05/2 URL:http://www.openwall.com/lists/oss-security/2023/12/05/2 MISC:https://go.dev/cl/540277 URL:https://go.dev/cl/540277 MISC:https://go.dev/cl/541175 URL:https://go.dev/cl/541175 MISC:https://go.dev/issue/63713 URL:https://go.dev/issue/63713 MISC:https://go.dev/issue/64028 URL:https://go.dev/issue/64028 MISC:https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY URL:https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY MISC:https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ URL:https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ MISC:https://pkg.go.dev/vuln/GO-2023-2185 URL:https://pkg.go.dev/vuln/GO-2023-2185
Assigning CNA
Go Project
Date Record Created
20231006	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20231006)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)