GO-2022-0586

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0586

Import Source

https://vuln.go.dev/ID/GO-2022-0586.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0586

Aliases

Published

2022-05-26T00:01:27Z

Modified

2024-05-20T16:03:47Z

Summary

Resource exhaustion in github.com/hashicorp/go-getter and related modules

Details

Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.

Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.
Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.
Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.
A panic can be triggered when go-getter processed password-protected ZIP files.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0586"
}

References

Credits

- Joern Schneeweisz of GitLab
- Alessio Della Libera of Snyk
- HashiCorp Product Security

Affected packages

Go / github.com/hashicorp/go-getter

Package

Name: github.com/hashicorp/go-getter; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/go-getter

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter"
        }
    ]
}

Go / github.com/hashicorp/go-getter/v2

Package

Name: github.com/hashicorp/go-getter/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/go-getter/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter/v2"
        }
    ]
}

Go / github.com/hashicorp/go-getter/s3/v2

Package

Name: github.com/hashicorp/go-getter/s3/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/go-getter/s3/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter/s3/v2",
            "symbols": [
                "Getter.Get",
                "Getter.GetFile",
                "Getter.Mode"
            ]
        }
    ]
}

Go / github.com/hashicorp/go-getter/gcs/v2

Package

Name: github.com/hashicorp/go-getter/gcs/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/hashicorp/go-getter/gcs/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter/gcs/v2",
            "symbols": [
                "Getter.Get",
                "Getter.GetFile",
                "Getter.Mode"
            ]
        }
    ]
}