GSA_kwCzR0hTQS0yN3JxLTQ5NDMtcWN3cM1Bgg

Moderate EPSS: 0.00052% (0.16171 Percentile) EPSS:

Permalink JSON

Insertion of Sensitive Information into Log File in Hashicorp go-getter

Affected Packages	Affected Versions	Fixed Versions
go:github.com/hashicorp/go-getter	< 1.5.11	1.5.11
3,705 Dependent packages 6,872 Dependent repositories Affected Version Ranges All affected versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10 All unaffected versions 1.5.11, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.

References:

Identifiers

GHSA-27rq-4943-qcwp

CVE-2022-29810

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00052

EPSS Percentile: 0.16171

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hashicorp/go-getter

Date and time

Published

about 3 years ago

Updated

over 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories