| id: GO-2022-0438 |
| modules: |
| - module: github.com/hashicorp/go-getter |
| versions: |
| - fixed: 1.5.11 |
| vulnerable_at: 1.5.10 |
| packages: |
| - package: github.com/hashicorp/go-getter |
| symbols: |
| - RedactURL |
| derived_symbols: |
| - Client.ChecksumFromFile |
| - Client.Get |
| - FolderStorage.Get |
| - Get |
| - GetAny |
| - GetFile |
| - HttpGetter.Get |
| summary: Exposure of sensitive information via log file in github.com/hashicorp/go-getter |
| description: |- |
| The getter package can write SSH credentials to its logfile, exposing |
| credentials to local users able to read the logfile. |
| published: 2022-07-01T20:07:52Z |
| cves: |
| - CVE-2022-29810 |
| ghsas: |
| - GHSA-27rq-4943-qcwp |
| references: |
| - fix: https://github.com/hashicorp/go-getter/pull/348 |
| - fix: https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc |
| - web: https://github.com/hashicorp/go-getter/releases/tag/v1.5.11 |
| review_status: REVIEWED |