CVE-2023-45283: Insecure parsing of Windows paths with a \??\ prefix in path/filepath
First published: Thu Nov 09 2023(Updated: )
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.
Credit: security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Any of | ||
| Golang Go | <1.20.11 | |
| Golang Go | >=1.21.0-0<1.21.4 | |
| Microsoft Windows |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/issue/63713
- https://go.dev/cl/540277
- https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY
- https://go.dev/issue/64028
- https://go.dev/cl/541175
- https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
- https://pkg.go.dev/vuln/GO-2023-2185
- http://www.openwall.com/lists/oss-security/2023/12/05/2
- https://security.netapp.com/advisory/ntap-20231214-0008/
Frequently Asked Questions
What is CVE-2023-45283?
CVE-2023-45283 is a vulnerability related to the insecure parsing of Windows paths with a \??\ prefix in the filepath package of Golang Go.
How does the filepath package in Golang Go handle paths with a \??\ prefix?
The filepath package in Golang Go does not recognize paths with a \??\ prefix as special, allowing them to be used to access arbitrary locations on the system.
What is the impact of CVE-2023-45283?
The vulnerability allows an attacker to access arbitrary locations on the system by using paths with a \??\ prefix.
Which versions of Golang Go are affected by CVE-2023-45283?
Golang Go versions up to 1.20.11 and versions from 1.21.0-0 to 1.21.4 are affected by CVE-2023-45283.
Is Microsoft Windows vulnerable to CVE-2023-45283?
No, Microsoft Windows is not vulnerable to CVE-2023-45283.
- collector/mitre-cve
- collector/nvd-api
- agent/title
- agent/weakness
- agent/description
- agent/type
- agent/event
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- agent/trending
- vendor/golang
- canonical/golang go
- version/golang go/1.21.0-0
- vendor/microsoft
- canonical/microsoft windows