blob: ffdf1b687c59b72f0e5d68cc7659cb5a5e525a13 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0586",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-05-26T00:01:27Z",
"aliases": [
"CVE-2022-26945",
"CVE-2022-30321",
"CVE-2022-30322",
"CVE-2022-30323",
"GHSA-28r2-q6m8-9hpx",
"GHSA-cjr4-fv6c-f3mv",
"GHSA-fcgg-rvwg-jv58",
"GHSA-x24g-9w7v-vprh"
],
"summary": "Resource exhaustion in github.com/hashicorp/go-getter and related modules",
"details": "Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.\n\n* Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.\n\n* Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.\n\n* Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.\n\n* A panic can be triggered when go-getter processed password-protected ZIP files.",
"affected": [
{
"package": {
"name": "github.com/hashicorp/go-getter",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/go-getter"
}
]
}
},
{
"package": {
"name": "github.com/hashicorp/go-getter/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/go-getter/v2"
}
]
}
},
{
"package": {
"name": "github.com/hashicorp/go-getter/s3/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/go-getter/s3/v2",
"symbols": [
"Getter.Get",
"Getter.GetFile",
"Getter.Mode"
]
}
]
}
},
{
"package": {
"name": "github.com/hashicorp/go-getter/gcs/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/hashicorp/go-getter/gcs/v2",
"symbols": [
"Getter.Get",
"Getter.GetFile",
"Getter.Mode"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
},
{
"type": "FIX",
"url": "https://github.com/hashicorp/go-getter/pull/361"
},
{
"type": "FIX",
"url": "https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-getter/pull/359"
}
],
"credits": [
{
"name": "Joern Schneeweisz of GitLab"
},
{
"name": "Alessio Della Libera of Snyk"
},
{
"name": "HashiCorp Product Security"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0586",
"review_status": "REVIEWED"
}
}