CVE-2022-29810 – go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses

https://notcve.org/view.php?id=CVE-2022-29810

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. La biblioteca go-getter de Hashicorp anterior a la versión 1.5.11 no redacta una clave SSH a partir de un parámetro de consulta URL A flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover. • https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc https://github.com/hashicorp/go-getter/pull/348 https://github.com/hashicorp/go-getter/releases/tag/v1.5.11 https://access.redhat.com/security/cve/CVE-2022-29810 https://bugzilla.redhat.com/show_bug.cgi?id=2080279 • CWE-532: Insertion of Sensitive Information into Log File •