CVEProject · jfrog-cve-bot · Dec 4, 2022
diff --git a/review_set/2022/30xxx/CVE-2022-30636.json b/review_set/2022/30xxx/CVE-2022-30636.json
@@ -0,0 +1,71 @@
+{
+    "containers": {
+        "cna": {
+            "affected": [
+                {
+                    "collectionURL": "https://go.dev",
+                    "packageName": "github.com/golang/crypto",
+                    "versions": [
+                        {
+                            "lessThanOrEqual": "0.0.0-20220525230936-793ad666bf5e",
+                            "status": "affected",
+                            "versionType": "go"
+                        }
+                    ]
+                },
+                {
+                    "collectionURL": "https://go.dev",
+                    "packageName": "golang.org/x/crypto",
+                    "versions": [
+                        {
+                            "lessThanOrEqual": "0.0.0-20220525230936-793ad666bf5e",
+                            "status": "affected",
+                            "versionType": "go"
+                        }
+                    ]
+                },
+                {
+                    "collectionURL": "https://go.dev",
+                    "packageName": "github.com/golang/go",
+                    "versions": [
+                        {
+                            "lessThanOrEqual": "1.18.3",
+                            "status": "affected",
+                            "versionType": "go"
+                        }
+                    ]
+                }
+            ],
+            "descriptions": [
+                {
+                    "value": "Go contains a flaw that allows traversing outside of a restricted path. The issue is due to the Get() function in acme/autocert/cache.go not properly sanitizing input, specifically path traversal style attacks (e.g. '../')] supplied via the HTTP-01 token value. This may allow a context-dependent attacker to read arbitrary files on the system that have a '+http-01' suffix."
+                }
+            ],
+            "metrics": [
+                {
+                    "cvssV3_1": {
+                        "baseSeverity": "LOW"
+                    }
+                }
+            ],
+            "problemTypes": [],
+            "references": [
+                "http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-30636",
+                "https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2022-30636",
+                "https://github.com/golang/crypto/commit/793ad666bf5ec61392092b27061be9618e4e219b",
+                "https://github.com/golang/go/issues/53082",
+                "https://go-review.googlesource.com/c/crypto/+/408694/",
+                "https://go.googlesource.com/crypto/+/793ad666bf5ec61392092b27061be9618e4e219b"
+            ],
+            "source": {
+                "discovery": "EXTERNAL"
+            },
+            "title": "Go Cryptography acme/autocert/cache.go Get() Function Path Traversal File Disclosure Weakness"
+        }
+    },
+    "cveMetadata": {
+        "assignerOrgId": "48a46f29-ea42-4e1d-90dd-c1676c1e5e6d",
+        "assignerShortName": "JFROG",
+        "cveId": "CVE-2022-30636"
+    }
+}