Fluid Attacks Database

Description

HashiCorp go-getter unsafe downloads could lead to arbitrary host access HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/go-getter/gcs/v2	>=0 <2.1.0	2.1.0
debian 11	golang-github-hashicorp-go-getter	=1.4.1-1	-
go	github.com/hashicorp/go-getter	>=0 <1.6.1 \|\| >=2.0.0 <2.1.0	1.6.1, 2.1.0
go	github.com/hashicorp/go-getter/v2	>=0 <2.1.0	2.1.0
go	github.com/hashicorp/go-getter/s3/v2	>=0 <2.1.0	2.1.0
debian 12	golang-github-hashicorp-go-getter	=1.4.1-1	-

Aliases

1. CVE-2022-303222. NVD-2022-303223. OSV-2022-303224. OSV-DEBIAN-2022-303225. GCVE-2022-303226. SECURITY-TRACKER-CVE-2022-30322

References

1. https://github.com/hashicorp/go-getter/pull/3592. https://github.com/hashicorp/go-getter/pull/3613. https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb484. https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a455. https://discuss.hashicorp.com6. https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library7. https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/399308. https://github.com/hashicorp/go-getter/releases9. https://pkg.go.dev/vuln/GO-2022-0586

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.