CVE-2023-0475 – Go-Getter Vulnerable to Decompression Bombs
https://notcve.org/view.php?id=CVE-2023-0475
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive. • https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125 https://access.redhat.com/security/cve/CVE-2023-0475 https://bugzilla.redhat.com/show_bug.cgi?id=2170844 • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVE-2022-26945 – go-getter: command injection vulnerability
https://notcve.org/view.php?id=CVE-2022-26945
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el cambio de protocolo, la redirección infinita y la derivación de la configuración mediante el abuso del procesamiento de cabeceras de respuesta HTTP personalizadas. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://access.redhat.com/security/cve/CVE-2022-26945 https://bugzilla.redhat.com/show_bug.cgi?id=2092928 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2022-30321 – go-getter: unsafe download (issue 1 of 3)
https://notcve.org/view.php?id=CVE-2022-30321
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el acceso arbitrario al host a través del recorrido de go-getter, el procesamiento de enlaces simbólicos y los fallos de inyección de comandos. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://github.com/hashicorp/go-getter/releases https://access.redhat.com/security/cve/CVE-2022-30321 https://bugzilla.redhat.com/show_bug.cgi?id=2092918 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-229: Improper Handling of Values •
CVE-2022-30322 – go-getter: unsafe download (issue 2 of 3)
https://notcve.org/view.php?id=CVE-2022-30322
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 permitía el agotamiento asimétrico de recursos cuando go-getter procesaba respuestas HTTP maliciosas. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://github.com/hashicorp/go-getter/releases https://access.redhat.com/security/cve/CVE-2022-30322 https://bugzilla.redhat.com/show_bug.cgi?id=2092923 • CWE-229: Improper Handling of Values •
CVE-2022-30323 – go-getter: unsafe download (issue 3 of 3)
https://notcve.org/view.php?id=CVE-2022-30323
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0. go-getter hasta 1.5.11 y 2.0.2 entraba en pánico al procesar archivos ZIP protegidos por contraseña. Corregido en 1.6.1 y 2.1.0 A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service. • https://discuss.hashicorp.com https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930 https://github.com/hashicorp/go-getter/releases https://access.redhat.com/security/cve/CVE-2022-30323 https://bugzilla.redhat.com/show_bug.cgi?id=2092925 • CWE-229: Improper Handling of Values •