CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-30324
https://notcve.org/view.php?id=CVE-2022-30324
27 May 2022 — HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were impacted by go-getter vulnerabilities enabling privilege escalation through the artifact stanza in submitted jobs onto the client agent host. Fixed in 1.1.14, 1.2.8, and 1.3.1. HashiCorp Nomad y Nomad Enterprise versiones 0.2.0 hasta 1.3.0, fueron impactados por vulnerabilidades de go-getter que permiten una escalada de privilegios mediante la estrofa de artefactos en los trabajos enviados en el host del agente cliente. Corregido en version... • https://discuss.hashicorp.com •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26945 – go-getter: command injection vulnerability
https://notcve.org/view.php?id=CVE-2022-26945
25 May 2022 — go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el cambio de protocolo, la redirección infinita y la derivación de la configuración mediante el abuso del procesamiento de cabeceras de respuesta HTTP personalizadas. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute comm... • https://discuss.hashicorp.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30321 – go-getter: unsafe download (issue 1 of 3)
https://notcve.org/view.php?id=CVE-2022-30321
25 May 2022 — go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el acceso arbitrario al host a través del recorrido de go-getter, el procesamiento de enlaces simbólicos y los fallos de inyección de comandos. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response header... • https://discuss.hashicorp.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-229: Improper Handling of Values •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30322 – go-getter: unsafe download (issue 2 of 3)
https://notcve.org/view.php?id=CVE-2022-30322
25 May 2022 — go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el agotamiento asimétrico de recursos cuando go-getter procesaba respuestas HTTP maliciosas. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to b... • https://discuss.hashicorp.com • CWE-229: Improper Handling of Values •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30323 – go-getter: unsafe download (issue 3 of 3)
https://notcve.org/view.php?id=CVE-2022-30323
25 May 2022 — go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 entraba en pánico al procesar archivos ZIP protegidos por contraseña. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of servic... • https://discuss.hashicorp.com • CWE-229: Improper Handling of Values •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30689 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2022-30689
17 May 2022 — HashiCorp Vault and Vault Enterprise from 1.10.0 to 1.10.2 did not correctly configure and enforce MFA on login after server restarts. This affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0 and does not affect the separate Enterprise MFA feature set. Fixed in 1.10.3. HashiCorp Vault y Vault Enterprise desde la versión 1.10.0 hasta 1.10.2 no configuraban ni aplicaban correctamente la MFA en el inicio de sesión tras el reinicio del servidor. Esto afecta a la función MFA de inicio d... • https://discuss.hashicorp.com •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29810 – go-getter: writes SSH credentials into logfile, exposing sensitive credentials to local uses
https://notcve.org/view.php?id=CVE-2022-29810
27 Apr 2022 — The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. La biblioteca go-getter de Hashicorp anterior a la versión 1.5.11 no redacta una clave SSH a partir de un parámetro de consulta URL A flaw was found in go-getter, where the go-getter library can write SSH credentials into its log file. This flaw allows a local user with access to read log files to read sensitive credentials, which may lead to privilege escalation or account takeover. Red Hat Advanced Cluster... • https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 3%CPEs: 7EXPL: 0CVE-2022-29153 – Gentoo Linux Security Advisory 202208-09
https://notcve.org/view.php?id=CVE-2022-29153
19 Apr 2022 — HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. HashiCorp Consul y Consul Enterprise hasta 1.9.16, 1.10.9, y 1.11.4 pueden permitir la falsificación de peticiones del lado del servidor cuando el agente cliente de Consul sigue las redirecciones devueltas por los puntos finales de comprobación de salud HTTP. Corregido en 1.9... • https://discuss.hashicorp.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-44139
https://notcve.org/view.php?id=CVE-2021-44139
23 Mar 2022 — Sentinel 1.8.2 is vulnerable to Server-side request forgery (SSRF). Sentinel versión 1.8.2, es vulnerable a un ataque de tipo Server-side request forgery (SSRF) • https://github.com/alibaba/Sentinel/issues/2451 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-25243 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2022-25243
07 Mar 2022 — "Vault and Vault Enterprise 1.8.0 through 1.8.8, and 1.9.3 allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. Fixed in Vault Enterprise 1.8.9 and 1.9.4. Vault y Vault Enterprise versiones 1.8.0 a 1.8.8, y 1.9.3, permitían que el motor de secretos PKI, bajo determinadas configuraciones, emitiera certificados comodín a usuarios autorizados para un dominio ... • https://discuss.hashicorp.com • CWE-295: Improper Certificate Validation •