CVE-2022-26945

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-26945

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26945.json

Aliases

CVE-2022-30321
CVE-2022-30322
CVE-2022-30323
GHSA-28r2-q6m8-9hpx
GHSA-cjr4-fv6c-f3mv
GHSA-fcgg-rvwg-jv58
GHSA-x24g-9w7v-vprh
GO-2022-0586

Published

2022-05-25T12:15:08Z

Modified

2024-03-15T00:05:25.226817Z

Details

go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.

References

https://discuss.hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930

Affected packages

Git / github.com/hashicorp/go-getter

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/go-getter
Events: Introduced

0The exact introduced commit is unknown

Last affected

4e45866a5873686490865880dabbd4737215caf1

Affected versions

cmd/go-getter/v2.*

cmd/go-getter/v2.0.2

gcs/v2.*

gcs/v2.0.2

s3/v2.*

s3/v2.0.2

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.2.0

v1.3.0

v1.4.0

v1.4.1

v2.*

v2.0.0

v2.0.1

v2.0.2