Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1mY2dnLXJ2d2ctanY1OM4AArNo

High EPSS: 0.00829% (0.73605 Percentile) EPSS:
Permalink JSON

HashiCorp go-getter unsafe downloads

Affected Packages Affected Versions Fixed Versions
go:github.com/hashicorp/go-getter/gcs/v2 < 2.1.0 2.1.0
125 Dependent packages
188 Dependent repositories

Affected Version Ranges

All affected versions

2.0.2

All unaffected versions

2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3
go:github.com/hashicorp/go-getter/s3/v2 < 2.1.0 2.1.0
125 Dependent packages
188 Dependent repositories

Affected Version Ranges

All affected versions

2.0.2

All unaffected versions

2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3
go:github.com/hashicorp/go-getter/v2 < 2.1.0 2.1.0
195 Dependent packages
234 Dependent repositories

Affected Version Ranges

All affected versions

2.0.0, 2.0.1, 2.0.2

All unaffected versions

2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3
go:github.com/hashicorp/go-getter >= 2.0.0, < 2.1.0, < 1.6.1 2.1.0, 1.6.1
3,705 Dependent packages
6,872 Dependent repositories

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.0

All unaffected versions

1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

References:

Identifiers

GHSA-fcgg-rvwg-jv58

CVE-2022-30321

Risk

Severity

High

EPSS

EPSS Percentage: 0.00829

EPSS Percentile: 0.73605

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/hashicorp/go-getter

Date and time

Published

about 3 years ago

Updated

over 2 years ago

API

JSON