blob: 01b1831a0ef2128be198b4f4413b76915d064350 [file] [log] [blame]
id: GO-2022-0586
modules:
- module: github.com/hashicorp/go-getter
versions:
- fixed: 1.6.1
vulnerable_at: 1.6.0
packages:
- package: github.com/hashicorp/go-getter
- module: github.com/hashicorp/go-getter/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.0.2
packages:
- package: github.com/hashicorp/go-getter/v2
- module: github.com/hashicorp/go-getter/s3/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.0.2
packages:
- package: github.com/hashicorp/go-getter/s3/v2
symbols:
- Getter.Mode
- Getter.Get
- Getter.GetFile
- module: github.com/hashicorp/go-getter/gcs/v2
versions:
- fixed: 2.1.0
vulnerable_at: 2.0.2
packages:
- package: github.com/hashicorp/go-getter/gcs/v2
symbols:
- Getter.Mode
- Getter.Get
- Getter.GetFile
summary: Resource exhaustion in github.com/hashicorp/go-getter and related modules
description: |-
Malicious HTTP responses can cause a number of misbehaviors, including
overwriting local files, resource exhaustion, and panics.
* Protocol switching, endless redirect, and configuration bypass are possible
through abuse of custom HTTP response header processing.
* Arbitrary host access is possible through go-getter path traversal, symlink
processing, and command injection flaws.
* Asymmetric resource exhaustion can occur when go-getter processes malicious
HTTP responses.
* A panic can be triggered when go-getter processed password-protected ZIP
files.
published: 2022-05-26T00:01:27Z
cves:
- CVE-2022-26945
- CVE-2022-30321
- CVE-2022-30322
- CVE-2022-30323
ghsas:
- GHSA-28r2-q6m8-9hpx
- GHSA-cjr4-fv6c-f3mv
- GHSA-fcgg-rvwg-jv58
- GHSA-x24g-9w7v-vprh
credits:
- Joern Schneeweisz of GitLab
- Alessio Della Libera of Snyk
- HashiCorp Product Security
references:
- advisory: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
- fix: https://github.com/hashicorp/go-getter/pull/361
- fix: https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48
- web: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
- web: https://github.com/hashicorp/go-getter/pull/359
review_status: REVIEWED