CVE-2022-30323Improper Handling of Values in Hashicorp Go-getter

CWE-229Improper Handling of Values11 documents6 sources
Severity
8.6HIGHNVD
EPSS
0.5%
top 33.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github.com Hashicorp Go-getterGithub.com Hashicorp Go-getter GCS V2Github.com Hashicorp Go-getter S3 V2+2 more
Timeline
PublishedMay 25
Latest updateMay 26

Description

go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:HExploitability: 3.9 | Impact: 4.7

Affected Packages5 packages

Gogithub.com/hashicorp_go-getter2.0.02.1.0+1
NVDhashicorp/go-getter1.5.11+1

🔴Vulnerability Details

8
OSV
HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion2022-05-26
OSV
HashiCorp go-getter unsafe downloads could lead to arbitrary host access2022-05-26
GHSA
HashiCorp go-getter unsafe downloads could lead to asymmetric resource exhaustion2022-05-26
OSV
HashiCorp go-getter unsafe downloads2022-05-26
OSV
HashiCorp go-getter command injection2022-05-26

📋Vendor Advisories

2
Red Hat
go-getter: unsafe download (issue 3 of 3)2022-05-24
Debian
CVE-2022-30323: golang-github-hashicorp-go-getter - go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP...2022
CVE-2022-30323 — Improper Handling of Values | cvebase