CVE-2022-30636: 
Linux Debian vulnerability analysis and mitigation

The vulnerability (CVE-2022-30636) affects the golang.org/x/crypto/acme/autocert package, specifically related to the httpTokenCacheKey function. The issue was discovered in May 2022 and allows for limited directory traversal on Windows systems. The vulnerability exists in versions before v0.0.0-20220525230936-793ad666bf5e (Go Vuln DB).

The vulnerability stems from the httpTokenCacheKey function using path.Base instead of filepath.Base to extract the expected HTTP-01 token value for DirCache implementation lookup. On Windows systems, due to different path separator handling (\ vs /), this allows users to provide relative paths. For example, '.well-known/acme-challenge/....\asd' becomes '....\asd'. The extracted path is then suffixed with '+http-01', joined with the cache directory, and opened (Go Issue).

The impact of this vulnerability is limited in scope. While it does allow for directory traversal, it only permits reading arbitrary files on the system if they have the '+http-01' suffix. This limitation significantly reduces the potential impact of the vulnerability (Go Issue).

The vulnerability was fixed in golang.org/x/crypto version v0.0.0-20220525230936-793ad666bf5e through a patch that properly cleans DirCache paths. Users should upgrade to this version or later to mitigate the vulnerability (Go CL).