x/vulndb: add reports/GO-2022-0533.yaml for CVE-2022-29804

Updates golang/vulndb#0533 Change-Id: Icf6e278d0181b0f8addca2daa87416a1185ab007 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/419426 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Tatiana Bradley <tatiana@golang.org>
2022-07-27 12:13:50 -04:00 · 2022-07-27 12:13:50 -04:00 · 709c1e747e
--- a/reports/GO-2022-0533.yaml
+++ b/reports/GO-2022-0533.yaml
@ -0,0 +1,32 @@
+packages:
+  - module: std
+    package: path/filepath
+    symbols:
+      - Clean
+    versions:
+      - fixed: 1.17.11
+      - introduced: 1.18.0
+        fixed: 1.18.3
+    vulnerable_at: 1.18.2
+description: |
+    On Windows, the filepath.Clean function can convert certain invalid paths
+    to valid, absolute paths, potentially allowing a directory traversal
+    attack.
+
+    For example, Clean(`.\c:`) returns `c:`.
+credit: Unrud
+os:
+  - windows
+links:
+    pr: https://go.dev/cl/401595
+    commit: https://go.googlesource.com/go/+/9cd1818a7d019c02fa4898b3e45a323e35033290
+    context:
+      - https://go.dev/issue/52476
+      - https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ
+cve_metadata:
+    id: CVE-2022-29804
+    cwe: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+    description: |
+        Incorrect conversion of certain invalid paths to valid, absolute paths
+        in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows
+        allows potential directory traversal attack.