blob: bf7b07b4e80f519b156515be8b0c25fe607304f6 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2023-1578",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-0475",
"GHSA-jpxj-2jvg-6jv9"
],
"summary": "Denial of service in github.com/hashicorp/go-getter/v2",
"details": "HashiCorp go-getter is vulnerable to decompression bombs. This can lead to excessive memory consumption and denial-of-service attacks.",
"affected": [
{
"package": {
"name": "github.com/hashicorp/go-getter/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/go-getter/v2",
"symbols": [
"Bzip2Decompressor.Decompress",
"Client.Get",
"Client.GetChecksum",
"FolderStorage.Get",
"Get",
"GetAny",
"GetFile",
"GzipDecompressor.Decompress",
"HttpGetter.Get",
"Request.CopyReader",
"TarBzip2Decompressor.Decompress",
"TarGzipDecompressor.Decompress",
"TarXzDecompressor.Decompress",
"XzDecompressor.Decompress",
"ZipDecompressor.Decompress",
"copyReader",
"untar"
]
}
]
}
},
{
"package": {
"name": "github.com/hashicorp/go-getter",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/go-getter",
"symbols": [
"Bzip2Decompressor.Decompress",
"Client.ChecksumFromFile",
"Client.Get",
"FolderStorage.Get",
"GCSGetter.Get",
"GCSGetter.GetFile",
"Get",
"GetAny",
"GetFile",
"GzipDecompressor.Decompress",
"HttpGetter.Get",
"S3Getter.Get",
"S3Getter.GetFile",
"TarBzip2Decompressor.Decompress",
"TarDecompressor.Decompress",
"TarGzipDecompressor.Decompress",
"TarXzDecompressor.Decompress",
"TarZstdDecompressor.Decompress",
"XzDecompressor.Decompress",
"ZipDecompressor.Decompress",
"ZstdDecompressor.Decompress",
"copyReader",
"untar"
]
}
]
}
}
],
"references": [
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125"
},
{
"type": "FIX",
"url": "https://github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6"
},
{
"type": "FIX",
"url": "https://github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2023-1578",
"review_status": "REVIEWED"
}
}