data/reports/GO-2022-0586.yaml - vulndb - Git at Google

 id: GO-2022-0586
 modules:
     - module: github.com/hashicorp/go-getter
       versions:
         - fixed: 1.6.1
       vulnerable_at: 1.6.0
       packages:
         - package: github.com/hashicorp/go-getter
     - module: github.com/hashicorp/go-getter/v2
       versions:
         - fixed: 2.1.0
       vulnerable_at: 2.0.2
       packages:
         - package: github.com/hashicorp/go-getter/v2
     - module: github.com/hashicorp/go-getter/s3/v2
       versions:
         - fixed: 2.1.0
       vulnerable_at: 2.0.2
       packages:
         - package: github.com/hashicorp/go-getter/s3/v2
           symbols:
             - Getter.Mode
             - Getter.Get
             - Getter.GetFile
     - module: github.com/hashicorp/go-getter/gcs/v2
       versions:
         - fixed: 2.1.0
       vulnerable_at: 2.0.2
       packages:
         - package: github.com/hashicorp/go-getter/gcs/v2
           symbols:
             - Getter.Mode
             - Getter.Get
             - Getter.GetFile
 summary: Resource exhaustion in github.com/hashicorp/go-getter and related modules
 description: |-
     Malicious HTTP responses can cause a number of misbehaviors, including
     overwriting local files, resource exhaustion, and panics.

     * Protocol switching, endless redirect, and configuration bypass are possible
     through abuse of custom HTTP response header processing.

     * Arbitrary host access is possible through go-getter path traversal, symlink
     processing, and command injection flaws.

     * Asymmetric resource exhaustion can occur when go-getter processes malicious
     HTTP responses.

     * A panic can be triggered when go-getter processed password-protected ZIP
     files.
 published: 2022-05-26T00:01:27Z
 cves:
     - CVE-2022-26945
     - CVE-2022-30321
     - CVE-2022-30322
     - CVE-2022-30323
 ghsas:
     - GHSA-28r2-q6m8-9hpx
     - GHSA-cjr4-fv6c-f3mv
     - GHSA-fcgg-rvwg-jv58
     - GHSA-x24g-9w7v-vprh
 credits:
     - Joern Schneeweisz of GitLab
     - Alessio Della Libera of Snyk
     - HashiCorp Product Security
 references:
     - advisory: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
     - fix: https://github.com/hashicorp/go-getter/pull/361
     - fix: https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48
     - web: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
     - web: https://github.com/hashicorp/go-getter/pull/359
	id: GO-2022-0586
	modules:
	- module: github.com/hashicorp/go-getter
	versions:
	- fixed: 1.6.1
	vulnerable_at: 1.6.0
	packages:
	- package: github.com/hashicorp/go-getter
	- module: github.com/hashicorp/go-getter/v2
	versions:
	- fixed: 2.1.0
	vulnerable_at: 2.0.2
	packages:
	- package: github.com/hashicorp/go-getter/v2
	- module: github.com/hashicorp/go-getter/s3/v2
	versions:
	- fixed: 2.1.0
	vulnerable_at: 2.0.2
	packages:
	- package: github.com/hashicorp/go-getter/s3/v2
	symbols:
	- Getter.Mode
	- Getter.Get
	- Getter.GetFile
	- module: github.com/hashicorp/go-getter/gcs/v2
	versions:
	- fixed: 2.1.0
	vulnerable_at: 2.0.2
	packages:
	- package: github.com/hashicorp/go-getter/gcs/v2
	symbols:
	- Getter.Mode
	- Getter.Get
	- Getter.GetFile
	summary: Resource exhaustion in github.com/hashicorp/go-getter and related modules
	description: \|-
	Malicious HTTP responses can cause a number of misbehaviors, including
	overwriting local files, resource exhaustion, and panics.

	* Protocol switching, endless redirect, and configuration bypass are possible
	through abuse of custom HTTP response header processing.

	* Arbitrary host access is possible through go-getter path traversal, symlink
	processing, and command injection flaws.

	* Asymmetric resource exhaustion can occur when go-getter processes malicious
	HTTP responses.

	* A panic can be triggered when go-getter processed password-protected ZIP
	files.
	published: 2022-05-26T00:01:27Z
	cves:
	- CVE-2022-26945
	- CVE-2022-30321
	- CVE-2022-30322
	- CVE-2022-30323
	ghsas:
	- GHSA-28r2-q6m8-9hpx
	- GHSA-cjr4-fv6c-f3mv
	- GHSA-fcgg-rvwg-jv58
	- GHSA-x24g-9w7v-vprh
	credits:
	- Joern Schneeweisz of GitLab
	- Alessio Della Libera of Snyk
	- HashiCorp Product Security
	references:
	- advisory: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
	- fix: https://github.com/hashicorp/go-getter/pull/361
	- fix: https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48
	- web: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
	- web: https://github.com/hashicorp/go-getter/pull/359