| modules: |
| - module: github.com/hashicorp/go-getter |
| versions: |
| - introduced: 1.5.11 |
| fixed: 1.6.1 |
| packages: |
| - package: github.com/hashicorp/go-getter |
| - module: github.com/hashicorp/go-getter/v2 |
| versions: |
| - introduced: 2.0.2 |
| fixed: 2.1.0 |
| packages: |
| - package: github.com/hashicorp/go-getter/v2 |
| description: | |
| Malicious HTTP responses can cause a number of misbehaviors, |
| including overwriting local files, resource exhaustion, and panics. |
| |
| * Protocol switching, endless redirect, and configuration bypass are |
| possible through abuse of custom HTTP response header processing. |
| |
| * Arbitrary host access is possible through go-getter path traversal, |
| symlink processing, and command injection flaws. |
| |
| * Asymmetric resource exhaustion can occur when go-getter processes |
| malicious HTTP responses. |
| |
| * A panic can be triggered when go-getter processed password-protected ZIP |
| files. |
| published: 2022-05-26T00:01:27Z |
| cves: |
| - CVE-2022-26945 |
| - CVE-2022-30321 |
| - CVE-2022-30322 |
| - CVE-2022-30323 |
| ghsas: |
| - GHSA-28r2-q6m8-9hpx |
| - GHSA-cjr4-fv6c-f3mv |
| - GHSA-fcgg-rvwg-jv58 |
| - GHSA-x24g-9w7v-vprh |
| credit: Joern Schneeweisz of GitLab, Alessio Della Libera of Snyk, and HashiCorp Product |
| Security |
| references: |
| - advisory: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 |
| - fix: https://github.com/hashicorp/go-getter/pull/361 |
| - fix: https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48 |
| - web: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 |
| - web: https://github.com/hashicorp/go-getter/pull/359 |