Skip to main content
Version: latest

CVE-2022-32190

CVE Details

Visit the official vulnerability details page for CVE-2022-32190 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

go

NIST CVE Summary

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

CVE Severity

7.5

Our Official Summary

This flaw is found in the golang package. The vulnerable functions, JoinPath and URL.JoinPath was introduced in upstream go1.19, whereas, most of our containers use a higher version of go, which does not contain the vulnerable code. This can be considered a false positive.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.11✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.4✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/03/2024Official summary revised: This flaw is found in the golang package. The vulnerable functions, JoinPath and URL.JoinPath was introduced in upstream go1.19, whereas, most of our containers use ahigher version of go, which does not contain the vulnerable code. This can be considered a false positive.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5