CVE-2022-41722: 
NixOS vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2022-41722) was discovered in Go's filepath.Clean function on Windows systems. The vulnerability was reported by RyotaK and publicly disclosed in February 2023. The issue affects Go versions before 1.19.6 and before 1.20.1, specifically impacting the path/filepath package (Go Packages).

The vulnerability exists in the filepath.Clean function's handling of invalid paths on Windows systems. The function could incorrectly transform an invalid relative path such as 'a/../c:/b' into a valid absolute path 'c:\b'. This transformation from a relative (though invalid) path to an absolute path created a potential vector for directory traversal attacks. After the fix, the filepath.Clean function now transforms such paths into relative (but still invalid) paths like '.\c:\b' (Golang Announce).

The vulnerability could enable directory traversal attacks on Windows systems, potentially allowing attackers to access files and directories outside of the intended directory structure. This could lead to unauthorized access to sensitive files or directories on affected systems (NVD).

The vulnerability was patched in Go versions 1.19.6 and 1.20.1. Users are advised to upgrade to these or later versions to mitigate the security risk. The fix modifies the filepath.Clean function to maintain relative path status for invalid paths, preventing the potential directory traversal attack vector (Golang Announce).