CVE-2023-0475 — Improper Handling of Highly Compressed Data (Data Amplification) in Hashicorp Go-getter

CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification)9 documents7 sources

Severity

6.5MEDIUMNVD

CNA4.2

EPSS

0.1%

top 74.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Hashicorp Go-getter Github.com Hashicorp Go-getter V2 Hashicorp Go-getter

Timeline

PublishedFeb 16

Latest updateFeb 17

Description

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Gogithub.com/hashicorp_go-getter< 1.7.0

▶Gogithub.com/hashicorp_go-getter_v22.0.0 — 2.2.0

▶CVEListV5hashicorp/go-getter1.6.2+1

▶NVDhashicorp/go-getter1.6.2+1

🔴Vulnerability Details

OSV

Denial of service in github.com/hashicorp/go-getter/v2↗2023-02-17

▶

OSV

CVE-2023-0475: HashiCorp go-getter up to 1↗2023-02-16

▶

CVEList

Go-Getter Vulnerable to Decompression Bombs↗2023-02-16

▶

GHSA

Data Amplification in HashiCorp go-getter↗2023-02-16

▶

OSV

Data Amplification in HashiCorp go-getter↗2023-02-16

▶

📋Vendor Advisories

Red Hat

go-getter: go-getter vulnerable to denial of service via malicious compressed archive↗2023-02-16

▶

Microsoft

Go-Getter Vulnerable to Decompression Bombs↗2023-02-14

▶

Debian

CVE-2023-0475: golang-github-hashicorp-go-getter - HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. ...↗2023

▶