CVE-2022-26945 — Command Injection in Hashicorp Go-getter

CWE-77 — Command Injection11 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 65.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Go-getter Github.com Hashicorp Go-getter GCS V2 Github.com Hashicorp Go-getter S3 V2 +2 more

Timeline

PublishedMay 25

Latest updateMay 26

Description

go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶Gogithub.com/hashicorp_go-getter2.0.0 — 2.1.0+1

▶Gogithub.com/hashicorp_go-getter_v2< 2.1.0

▶Gogithub.com/hashicorp_go-getter_s3_v2< 2.1.0

▶Gogithub.com/hashicorp_go-getter_gcs_v2< 2.1.0

▶NVDhashicorp/go-getter1.5.11+1

🔴Vulnerability Details

OSV

HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion↗2022-05-26

▶

GHSA

HashiCorp go-getter command injection↗2022-05-26

▶

OSV

HashiCorp go-getter unsafe downloads could lead to arbitrary host access↗2022-05-26

▶

OSV

HashiCorp go-getter unsafe downloads↗2022-05-26

▶

OSV

HashiCorp go-getter command injection↗2022-05-26

▶

📋Vendor Advisories

Red Hat

go-getter: command injection vulnerability↗2022-05-24

▶

Debian

CVE-2022-26945: golang-github-hashicorp-go-getter - go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, a...↗2022

▶