CVE-2022-29810Log File Information Exposure in Hashicorp Go-getter

CWE-532Log File Information ExposureCWE-200Sensitive Information Exposure9 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 72.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Hashicorp Go-getterGithub.com Rancher RancherHashicorp Go-getter
Timeline
PublishedApr 27
Latest updateJul 1

Description

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDhashicorp/go-getter< 1.5.11
Gogithub.com/rancher_rancher2.6.02.6.4+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

6
OSV
Exposure of sensitive information via log file in github.com/hashicorp/go-getter2022-07-01
GHSA
Insertion of Sensitive Information into Log File in Hashicorp go-getter2022-04-28
OSV
Insertion of Sensitive Information into Log File in Hashicorp go-getter2022-04-28
OSV
Exposure of SSH credentials in Rancher/Fleet2022-04-27
CVEList
CVE-2022-29810: The Hashicorp go-getter library before 12022-04-27

📋Vendor Advisories

2
Red Hat
go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses2022-04-27
Debian
CVE-2022-29810: golang-github-hashicorp-go-getter - The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a ...2022
CVE-2022-29810 — Log File Information Exposure | cvebase