| id: GO-TEST-ID |
| modules: |
| - module: github.com/hashicorp/go-getter |
| versions: |
| - fixed: 1.6.1 |
| vulnerable_at: 1.6.0 |
| - module: github.com/hashicorp/go-getter/gcs/v2 |
| versions: |
| - fixed: 2.1.0 |
| vulnerable_at: 2.0.2 |
| - module: github.com/hashicorp/go-getter/s3/v2 |
| versions: |
| - fixed: 2.1.0 |
| vulnerable_at: 2.0.2 |
| - module: github.com/hashicorp/go-getter/v2 |
| versions: |
| - introduced: 2.0.0 |
| fixed: 2.1.0 |
| vulnerable_at: 2.0.2 |
| summary: |- |
| HashiCorp go-getter unsafe downloads could lead to asymmetric resource |
| exhaustion |
| description: |- |
| HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric |
| resource exhaustion could occur when go-getter processed malicious HTTP |
| responses. |
| cves: |
| - CVE-2022-30323 |
| ghsas: |
| - GHSA-28r2-q6m8-9hpx |
| references: |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-30323 |
| - fix: https://github.com/hashicorp/go-getter/pull/359 |
| - fix: https://github.com/hashicorp/go-getter/pull/361 |
| - fix: https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48 |
| - fix: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 |
| - web: https://discuss.hashicorp.com |
| - web: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/ |
| - web: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 |
| - web: https://github.com/hashicorp/go-getter/releases |
| notes: |
| - lint: 'summary: must contain an affected module or package path (e.g. "github.com/hashicorp/go-getter")' |