GO-2022-0586

Source

https://pkg.go.dev/vuln/GO-2022-0586

Import Source

https://vuln.go.dev/ID/GO-2022-0586.json

Aliases

Published

2022-05-26T00:01:27Z

Modified

2024-03-15T00:05:25.226817Z

Details

Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.

Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.
Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.
Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.
A panic can be triggered when go-getter processed password-protected ZIP files.

References

Affected packages

Go / github.com/hashicorp/go-getter

Package

Name: github.com/hashicorp/go-getter

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.6.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter"
        }
    ]
}

Go / github.com/hashicorp/go-getter/v2

Package

Name: github.com/hashicorp/go-getter/v2

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter/v2"
        }
    ]
}

Go / github.com/hashicorp/go-getter/s3/v2

Package

Name: github.com/hashicorp/go-getter/s3/v2

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter/s3/v2",
            "symbols": [
                "Getter.Get",
                "Getter.GetFile",
                "Getter.Mode"
            ]
        }
    ]
}

Go / github.com/hashicorp/go-getter/gcs/v2

Package

Name: github.com/hashicorp/go-getter/gcs/v2

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/hashicorp/go-getter/gcs/v2",
            "symbols": [
                "Getter.Get",
                "Getter.GetFile",
                "Getter.Mode"
            ]
        }
    ]
}