data/reports/GO-2022-0438.yaml

id: GO-2022-0438
modules:
    - module: github.com/hashicorp/go-getter
      versions:
        - fixed: 1.5.11
      vulnerable_at: 1.5.10
      packages:
        - package: github.com/hashicorp/go-getter
          symbols:
            - RedactURL
          derived_symbols:
            - Client.ChecksumFromFile
            - Client.Get
            - FolderStorage.Get
            - Get
            - GetAny
            - GetFile
            - HttpGetter.Get
summary: Exposure of sensitive information via log file in github.com/hashicorp/go-getter
description: |-
    The getter package can write SSH credentials to its logfile, exposing
    credentials to local users able to read the logfile.
published: 2022-07-01T20:07:52Z
cves:
    - CVE-2022-29810
ghsas:
    - GHSA-27rq-4943-qcwp
references:
    - fix: https://github.com/hashicorp/go-getter/pull/348
    - fix: https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc
    - web: https://github.com/hashicorp/go-getter/releases/tag/v1.5.11