cbcvebase.
CVE-2023-0475
published 2023-02-16

CVE-2023-0475: HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

PriorityP424medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
0.45%
36.1th percentile
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiangolang-github-hashicorp-go-getter
github.comhashicorp_go-getter>= 0 < 1.7.01.7.0
github.comhashicorp_go-getter_v2>= 2.0.0 < 2.2.02.2.0
hashicorpgo-getter<= 1.6.2
hashicorpgo-getter
msrccbl2_k3s_1.24.12-2_on_cbl_mariner_2.0
msrccbl2_packer_1.8.7-1_on_cbl_mariner_2.0
msrccbl2_terraform_1.3.2-22_on_cbl_mariner_2.0

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_debian4.2MEDIUM
vendor_redhat4.2MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.