CVE-2022-30321 — Path Traversal in Hashicorp Go-getter

CWE-22 — Path Traversal CWE-59 — Link Following CWE-77 — Command Injection CWE-229 — Improper Handling of Values11 documents6 sources

Severity

8.6HIGHNVD

EPSS

2.9%

top 13.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Go-getter Github.com Hashicorp Go-getter GCS V2 Github.com Hashicorp Go-getter S3 V2 +2 more

Timeline

PublishedMay 25

Latest updateMay 26

Description

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 3.9 | Impact: 4.7

Affected Packages5 packages

▶Gogithub.com/hashicorp_go-getter2.0.0 — 2.1.0+1

▶Gogithub.com/hashicorp_go-getter_v2< 2.1.0

▶Gogithub.com/hashicorp_go-getter_s3_v2< 2.1.0

▶Gogithub.com/hashicorp_go-getter_gcs_v2< 2.1.0

▶NVDhashicorp/go-getter1.5.11+1

🔴Vulnerability Details

OSV

HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion↗2022-05-26

▶

OSV

HashiCorp go-getter unsafe downloads could lead to arbitrary host access↗2022-05-26

▶

OSV

HashiCorp go-getter unsafe downloads↗2022-05-26

▶

GHSA

HashiCorp go-getter unsafe downloads↗2022-05-26

▶

OSV

HashiCorp go-getter command injection↗2022-05-26

▶

📋Vendor Advisories

Red Hat

go-getter: unsafe download (issue 1 of 3)↗2022-05-24

▶

Debian

CVE-2022-30321: golang-github-hashicorp-go-getter - go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter pat...↗2022

▶