CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0377 – HashiCorp go-slug Vulnerable to Zip Slip Attack
https://notcve.org/view.php?id=CVE-2025-0377
21 Jan 2025 — HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. • https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6257 – HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
https://notcve.org/view.php?id=CVE-2024-6257
25 Jun 2024 — HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. • https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6104 – go-retryablehttp can leak basic auth credentials to log files
https://notcve.org/view.php?id=CVE-2024-6104
24 Jun 2024 — go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. A vulnerability was found in go-retryablehttp. The package may suffer from a lack of input sanitization by not cleaning up URL data when writing to the logs. • https://discuss.hashicorp.com/c/security • CWE-532: Insertion of Sensitive Information into Log File •