CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30321 – go-getter: unsafe download (issue 1 of 3)
https://notcve.org/view.php?id=CVE-2022-30321
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el acceso arbitrario al host a través del recorrido de go-getter, el procesamiento de enlaces simbólicos y los fallos de inyección de comandos. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://github.com/hashicorp/go-getter/releases https://access.redhat.com/security/cve/CVE-2022-30321 https://bugzilla.redhat.com/show_bug.cgi?id=2092918 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-229: Improper Handling of Values •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30322 – go-getter: unsafe download (issue 2 of 3)
https://notcve.org/view.php?id=CVE-2022-30322
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el agotamiento asimétrico de recursos cuando go-getter procesaba respuestas HTTP maliciosas. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://github.com/hashicorp/go-getter/releases https://access.redhat.com/security/cve/CVE-2022-30322 https://bugzilla.redhat.com/show_bug.cgi?id=2092923 • CWE-229: Improper Handling of Values •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30323 – go-getter: unsafe download (issue 3 of 3)
https://notcve.org/view.php?id=CVE-2022-30323
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 entraba en pánico al procesar archivos ZIP protegidos por contraseña. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://github.com/hashicorp/go-getter/releases https://access.redhat.com/security/cve/CVE-2022-30323 https://bugzilla.redhat.com/show_bug.cgi?id=2092925 • CWE-229: Improper Handling of Values •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30689
https://notcve.org/view.php?id=CVE-2022-30689
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3. HashiCorp Vault y Vault Enterprise desde la versión 1.10.0 hasta 1.10.2 no configuraban ni aplicaban correctamente la MFA en el inicio de sesión tras el reinicio del servidor. Esto afecta a la función MFA de inicio de sesión introducida en Vault y Vault Enterprise versión 1.10.0 y no afecta al conjunto de funciones MFA de Enterprise por separado. • https://discuss.hashicorp.com https://security.gentoo.org/glsa/202207-01 https://security.netapp.com/advisory/ntap-20220629-0006 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29810 – go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
https://notcve.org/view.php?id=CVE-2022-29810
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. La biblioteca go-getter de Hashicorp anterior a la versión 1.5.11 no redacta una clave SSH a partir de un parámetro de consulta URL A flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover. • https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc https://github.com/hashicorp/go-getter/pull/348 https://github.com/hashicorp/go-getter/releases/tag/v1.5.11 https://access.redhat.com/security/cve/CVE-2022-29810 https://bugzilla.redhat.com/show_bug.cgi?id=2080279 • CWE-532: Insertion of Sensitive Information into Log File •