CVE-2022-26945
published 2022-05-25CVE-2022-26945: go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing…
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.52%
71.5th percentile
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-hashicorp-go-getter | — | — |
| github.com | hashicorp_go-getter | >= 0 < 1.6.1 | 1.6.1 |
| github.com | hashicorp_go-getter | >= 2.0.0 < 2.1.0 | 2.1.0 |
| github.com | hashicorp_go-getter_gcs_v2 | >= 0 < 2.1.0 | 2.1.0 |
| github.com | hashicorp_go-getter_s3_v2 | >= 0 < 2.1.0 | 2.1.0 |
| github.com | hashicorp_go-getter_v2 | >= 0 < 2.1.0 | 2.1.0 |
| hashicorp | go-getter | <= 1.5.11 | — |
| hashicorp | go-getter | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
go-getter: command injection vulnerability
vendor_redhat·2022-05-24·CVSS 9.8
CVE-2022-26945 [CRITICAL] CWE-77 go-getter: command injection vulnerability
go-getter: command injection vulnerability
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.
Mitigation: The fix includes new configuration options to help limit the security exposure and have more secure defaults.
Package: rhacm2/agent-service-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: rhacm2/cluster-curator-controller-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: rhacm2/clusterl
Debian
CVE-2022-26945: golang-github-hashicorp-go-getter - go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, a...
vendor_debian·2022·CVSS 9.8
CVE-2022-26945 [CRITICAL] CVE-2022-26945: golang-github-hashicorp-go-getter - go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, a...
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
Scope: local
bookworm: open
bullseye: open
OSV
HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion
osv·2022-05-26
CVE-2022-26945 [HIGH] HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion
HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.
GHSA
HashiCorp go-getter command injection
ghsa·2022-05-26
CVE-2022-26945 [CRITICAL] CWE-77 HashiCorp go-getter command injection
HashiCorp go-getter command injection
HashiCorp go-getter before 2.0.2 allows Command Injection.
OSV
HashiCorp go-getter unsafe downloads could lead to arbitrary host access
osv·2022-05-26
CVE-2022-26945 [HIGH] HashiCorp go-getter unsafe downloads could lead to arbitrary host access
HashiCorp go-getter unsafe downloads could lead to arbitrary host access
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.
OSV
HashiCorp go-getter unsafe downloads
osv·2022-05-26
CVE-2022-26945 [HIGH] HashiCorp go-getter unsafe downloads
HashiCorp go-getter unsafe downloads
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.
OSV
HashiCorp go-getter command injection
osv·2022-05-26
CVE-2022-26945 [CRITICAL] HashiCorp go-getter command injection
HashiCorp go-getter command injection
HashiCorp go-getter before 2.0.2 allows Command Injection.
OSV
Resource exhaustion in github.com/hashicorp/go-getter and related modules
osv·2022-05-26
CVE-2022-26945 Resource exhaustion in github.com/hashicorp/go-getter and related modules
Resource exhaustion in github.com/hashicorp/go-getter and related modules
Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.
* Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.
* Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.
* Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.
* A panic can be triggered when go-getter processed password-protected ZIP files.
OSV
CVE-2022-26945: go-getter up to 1
osv·2022-05-25·CVSS 9.8
CVE-2022-26945 [CRITICAL] CVE-2022-26945: go-getter up to 1
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-05-25
Published