CVE-2022-29810
published 2022-04-27CVE-2022-29810: The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
PriorityP425medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.40%
32.2th percentile
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-hashicorp-go-getter | — | — |
| github.com | hashicorp_go-getter | >= 0 < 1.5.11 | 1.5.11 |
| github.com | rancher_rancher | >= 0 < 2.5.13 | 2.5.13 |
| github.com | rancher_rancher | >= 2.6.0 < 2.6.4 | 2.6.4 |
| hashicorp | go-getter | < 1.5.11 | 1.5.11 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
ghsa5.5MEDIUM
osv5.5MEDIUM
vendor_debian5.5LOW
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of sensitive information via log file in github.com/hashicorp/go-getter
osv·2022-07-01
CVE-2022-29810 Exposure of sensitive information via log file in github.com/hashicorp/go-getter
Exposure of sensitive information via log file in github.com/hashicorp/go-getter
The getter package can write SSH credentials to its logfile, exposing credentials to local users able to read the logfile.
GHSA
Insertion of Sensitive Information into Log File in Hashicorp go-getter
ghsa·2022-04-28
CVE-2022-29810 [MEDIUM] CWE-532 Insertion of Sensitive Information into Log File in Hashicorp go-getter
Insertion of Sensitive Information into Log File in Hashicorp go-getter
The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.
OSV
Insertion of Sensitive Information into Log File in Hashicorp go-getter
osv·2022-04-28
CVE-2022-29810 [MEDIUM] Insertion of Sensitive Information into Log File in Hashicorp go-getter
Insertion of Sensitive Information into Log File in Hashicorp go-getter
The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.
OSV
Exposure of SSH credentials in Rancher/Fleet
osv·2022-04-27·CVSS 5.5
CVE-2022-29810 [MEDIUM] Exposure of SSH credentials in Rancher/Fleet
Exposure of SSH credentials in Rancher/Fleet
### Impact
This vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or Helm repositories.
A security vulnerability ([CVE-2022-29810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29810)) was discovered in `go-getter` library in versions prior to [`v1.5.11`](https://github.com/hashicorp/go-getter/releases/tag/v1.5.11) that exposes SSH private keys in base64 format due to a failure in redacting such information from error messages. The vulnerable version of this library is used in Rancher through Fleet in versions of Fleet prior to [`v0.3.9`](https://github.com/rancher/fleet/releases/tag/v0.3.9). This issue affects Rancher versions 2.5.0 up to and including 2.5.12 and from 2.6.0 up to and
GHSA
Exposure of SSH credentials in Rancher/Fleet
ghsa·2022-04-27·CVSS 5.5
CVE-2022-29810 [MEDIUM] CWE-200 Exposure of SSH credentials in Rancher/Fleet
Exposure of SSH credentials in Rancher/Fleet
### Impact
This vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or Helm repositories.
A security vulnerability ([CVE-2022-29810](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29810)) was discovered in `go-getter` library in versions prior to [`v1.5.11`](https://github.com/hashicorp/go-getter/releases/tag/v1.5.11) that exposes SSH private keys in base64 format due to a failure in redacting such information from error messages. The vulnerable version of this library is used in Rancher through Fleet in versions of Fleet prior to [`v0.3.9`](https://github.com/rancher/fleet/releases/tag/v0.3.9). This issue affects Rancher versions 2.5.0 up to and including 2.5.12 and from 2.6.0 up to and
Red Hat
go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
vendor_redhat·2022-04-27·CVSS 5.5
CVE-2022-29810 [MEDIUM] CWE-532 go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
A flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover.
Package: rhacm2/agent-service-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
Package: rhacm2/cluster-curator-controller-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Affected
Package: rhacm2/clusterlifecycle-state-metrics-rhel8 (Red Hat Advanced Cluster Management for Kubernetes 2) - Not affected
P
Debian
CVE-2022-29810: golang-github-hashicorp-go-getter - The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a ...
vendor_debian·2022·CVSS 5.5
CVE-2022-29810 [MEDIUM] CVE-2022-29810: golang-github-hashicorp-go-getter - The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a ...
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
Scope: local
bookworm: resolved
bullseye: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cchttps://github.com/hashicorp/go-getter/pull/348https://github.com/hashicorp/go-getter/releases/tag/v1.5.11https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cchttps://github.com/hashicorp/go-getter/pull/348https://github.com/hashicorp/go-getter/releases/tag/v1.5.11
2022-04-27
Published