Vulnerability Report: GO-2022-0586
- CVE-2022-26945, CVE-2022-30321, and 6 more
- Affects: github.com/hashicorp/go-getter, github.com/hashicorp/go-getter/v2, and 2 more
- Published: May 26, 2022
- Modified: May 20, 2024
Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics. * Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. * Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. * Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses. * A panic can be triggered when go-getter processed password-protected ZIP files.
For detailed information about this vulnerability, visit https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930.
Affected Packages
-
PathGo VersionsSymbols
-
before v1.6.1all symbols
-
before v2.1.0all symbols
-
before v2.1.0
-
before v2.1.0
Aliases
- CVE-2022-26945
- CVE-2022-30321
- CVE-2022-30322
- CVE-2022-30323
- GHSA-28r2-q6m8-9hpx
- GHSA-cjr4-fv6c-f3mv
- GHSA-fcgg-rvwg-jv58
- GHSA-x24g-9w7v-vprh
References
- https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
- https://github.com/hashicorp/go-getter/pull/361
- https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48
- https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
- https://github.com/hashicorp/go-getter/pull/359
- https://vuln.go.dev/ID/GO-2022-0586.json
Credits
- Joern Schneeweisz of GitLab, Alessio Della Libera of Snyk, HashiCorp Product Security
Feedback
See anything missing or incorrect?
Suggest an edit to this report.