| id: GO-2022-0586 |
| modules: |
| - module: github.com/hashicorp/go-getter |
| versions: |
| - fixed: 1.6.1 |
| vulnerable_at: 1.6.0 |
| packages: |
| - package: github.com/hashicorp/go-getter |
| - module: github.com/hashicorp/go-getter/v2 |
| versions: |
| - fixed: 2.1.0 |
| vulnerable_at: 2.0.2 |
| packages: |
| - package: github.com/hashicorp/go-getter/v2 |
| - module: github.com/hashicorp/go-getter/s3/v2 |
| versions: |
| - fixed: 2.1.0 |
| vulnerable_at: 2.0.2 |
| packages: |
| - package: github.com/hashicorp/go-getter/s3/v2 |
| symbols: |
| - Getter.Mode |
| - Getter.Get |
| - Getter.GetFile |
| - module: github.com/hashicorp/go-getter/gcs/v2 |
| versions: |
| - fixed: 2.1.0 |
| vulnerable_at: 2.0.2 |
| packages: |
| - package: github.com/hashicorp/go-getter/gcs/v2 |
| symbols: |
| - Getter.Mode |
| - Getter.Get |
| - Getter.GetFile |
| summary: Resource exhaustion in github.com/hashicorp/go-getter and related modules |
| description: |- |
| Malicious HTTP responses can cause a number of misbehaviors, including |
| overwriting local files, resource exhaustion, and panics. |
| |
| * Protocol switching, endless redirect, and configuration bypass are possible |
| through abuse of custom HTTP response header processing. |
| |
| * Arbitrary host access is possible through go-getter path traversal, symlink |
| processing, and command injection flaws. |
| |
| * Asymmetric resource exhaustion can occur when go-getter processes malicious |
| HTTP responses. |
| |
| * A panic can be triggered when go-getter processed password-protected ZIP |
| files. |
| published: 2022-05-26T00:01:27Z |
| cves: |
| - CVE-2022-26945 |
| - CVE-2022-30321 |
| - CVE-2022-30322 |
| - CVE-2022-30323 |
| ghsas: |
| - GHSA-28r2-q6m8-9hpx |
| - GHSA-cjr4-fv6c-f3mv |
| - GHSA-fcgg-rvwg-jv58 |
| - GHSA-x24g-9w7v-vprh |
| credits: |
| - Joern Schneeweisz of GitLab |
| - Alessio Della Libera of Snyk |
| - HashiCorp Product Security |
| references: |
| - advisory: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 |
| - fix: https://github.com/hashicorp/go-getter/pull/361 |
| - fix: https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48 |
| - web: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 |
| - web: https://github.com/hashicorp/go-getter/pull/359 |
| review_status: REVIEWED |