CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30323 – go-getter: unsafe download (issue 3 of 3)
https://notcve.org/view.php?id=CVE-2022-30323
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 entraba en pánico al procesar archivos ZIP protegidos por contraseña. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://github.com/hashicorp/go-getter/releases https://access.redhat.com/security/cve/CVE-2022-30323 https://bugzilla.redhat.com/show_bug.cgi?id=2092925 • CWE-229: Improper Handling of Values •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30689
https://notcve.org/view.php?id=CVE-2022-30689
HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3. HashiCorp Vault y Vault Enterprise desde la versión 1.10.0 hasta 1.10.2 no configuraban ni aplicaban correctamente la MFA en el inicio de sesión tras el reinicio del servidor. Esto afecta a la función MFA de inicio de sesión introducida en Vault y Vault Enterprise versión 1.10.0 y no afecta al conjunto de funciones MFA de Enterprise por separado. • https://discuss.hashicorp.com https://security.gentoo.org/glsa/202207-01 https://security.netapp.com/advisory/ntap-20220629-0006 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29810 – go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
https://notcve.org/view.php?id=CVE-2022-29810
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. La biblioteca go-getter de Hashicorp anterior a la versión 1.5.11 no redacta una clave SSH a partir de un parámetro de consulta URL A flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover. • https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc https://github.com/hashicorp/go-getter/pull/348 https://github.com/hashicorp/go-getter/releases/tag/v1.5.11 https://access.redhat.com/security/cve/CVE-2022-29810 https://bugzilla.redhat.com/show_bug.cgi?id=2080279 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 0CVE-2022-29153
https://notcve.org/view.php?id=CVE-2022-29153
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. HashiCorp Consul y Consul Enterprise hasta 1.9.16, 1.10.9, y 1.11.4 pueden permitir la falsificación de peticiones del lado del servidor cuando el agente cliente de Consul sigue las redirecciones devueltas por los puntos finales de comprobación de salud HTTP. Corregido en 1.9.17, 1.10.10 y 1.11.5 • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH https://security.gentoo.org/glsa/202208-09 https://security.netapp.com/advisory/ntap-20220602-0005 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-44139
https://notcve.org/view.php?id=CVE-2021-44139
Sentinel 1.8.2 is vulnerable to Server-side request forgery (SSRF). Sentinel versión 1.8.2, es vulnerable a un ataque de tipo Server-side request forgery (SSRF) • https://github.com/alibaba/Sentinel/issues/2451 • CWE-918: Server-Side Request Forgery (SSRF) •