vulndb/data/osv/GO-2022-0586.json

{
  "schema_version": "1.3.1",
  "id": "GO-2022-0586",
  "modified": "0001-01-01T00:00:00Z",
  "published": "2022-05-26T00:01:27Z",
  "aliases": [
    "CVE-2022-26945",
    "CVE-2022-30321",
    "CVE-2022-30322",
    "CVE-2022-30323",
    "GHSA-28r2-q6m8-9hpx",
    "GHSA-cjr4-fv6c-f3mv",
    "GHSA-fcgg-rvwg-jv58",
    "GHSA-x24g-9w7v-vprh"
  ],
  "summary": "Resource exhaustion in github.com/hashicorp/go-getter and related modules",
  "details": "Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.\n\n* Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.\n\n* Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.\n\n* Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.\n\n* A panic can be triggered when go-getter processed password-protected ZIP files.",
  "affected": [
    {
      "package": {
        "name": "github.com/hashicorp/go-getter",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/hashicorp/go-getter"
          }
        ]
      }
    },
    {
      "package": {
        "name": "github.com/hashicorp/go-getter/v2",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/hashicorp/go-getter/v2"
          }
        ]
      }
    },
    {
      "package": {
        "name": "github.com/hashicorp/go-getter/s3/v2",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/hashicorp/go-getter/s3/v2",
            "symbols": [
              "Getter.Get",
              "Getter.GetFile",
              "Getter.Mode"
            ]
          }
        ]
      }
    },
    {
      "package": {
        "name": "github.com/hashicorp/go-getter/gcs/v2",
        "ecosystem": "Go"
      },
      "ranges": [
        {
          "type": "SEMVER",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "imports": [
          {
            "path": "github.com/hashicorp/go-getter/gcs/v2",
            "symbols": [
              "Getter.Get",
              "Getter.GetFile",
              "Getter.Mode"
            ]
          }
        ]
      }
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
    },
    {
      "type": "FIX",
      "url": "https://github.com/hashicorp/go-getter/pull/361"
    },
    {
      "type": "FIX",
      "url": "https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/go-getter/pull/359"
    }
  ],
  "credits": [
    {
      "name": "Joern Schneeweisz of GitLab"
    },
    {
      "name": "Alessio Della Libera of Snyk"
    },
    {
      "name": "HashiCorp Product Security"
    }
  ],
  "database_specific": {
    "url": "https://pkg.go.dev/vuln/GO-2022-0586",
    "review_status": "REVIEWED"
  }
}
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`{`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"schema_version": "1.3.1",`
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`"id": "GO-2022-0586",`
			`"modified": "0001-01-01T00:00:00Z",`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"published": "2022-05-26T00:01:27Z",`
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`"aliases": [`
			`"CVE-2022-26945",`
			`"CVE-2022-30321",`
			`"CVE-2022-30322",`
			`"CVE-2022-30323",`
			`"GHSA-28r2-q6m8-9hpx",`
			`"GHSA-cjr4-fv6c-f3mv",`
			`"GHSA-fcgg-rvwg-jv58",`
			`"GHSA-x24g-9w7v-vprh"`
			`],`
internal/{osv,report}, data: publish summaries to OSV Modify ToOSV to publish the summary from the YAML report to OSV, and apply this change to each existing OSV report. For golang/go#56443 Change-Id: Iee78fe75f42fe9a52c6e4023ee9ad8dfa5feba8d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/501203 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> 2023-06-06 21:13:32 +03:00			`"summary": "Resource exhaustion in github.com/hashicorp/go-getter and related modules",`
internal/database, data/osv: trim whitespace characters in OSV description In GenerateOSVEntry, replace all whitespace characters with single spaces except for paragraph breaks represented by "\n\n". Change-Id: Ia03f0b53c94979fada6316be1346df3f48b9fabe Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/439044 Run-TryBot: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-10-05 19:05:17 +03:00			"details": "Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.\n\n* Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.\n\n* Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.\n\n* Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.\n\n* A panic can be triggered when go-getter processed password-protected ZIP files.",
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`"affected": [`
			`{`
			`"package": {`
			`"name": "github.com/hashicorp/go-getter",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
data/reports: add vulnerable_at to GO-2022-0586.yaml Also adds missing packages and removes unconfirmed "introduced" versions Aliases: CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323, GHSA-28r2-q6m8-9hpx, GHSA-cjr4-fv6c-f3mv, GHSA-fcgg-rvwg-jv58, GHSA-x24g-9w7v-vprh Updates golang/vulndb#586 Change-Id: Ib93dbfd87ba248172d757733e2bd4dd8995bf102 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/465175 Reviewed-by: Tim King <taking@google.com> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 23:35:42 +03:00			`"introduced": "0"`
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`},`
			`{`
			`"fixed": "1.6.1"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/hashicorp/go-getter"`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"package": {`
			`"name": "github.com/hashicorp/go-getter/v2",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
data/reports: add vulnerable_at to GO-2022-0586.yaml Also adds missing packages and removes unconfirmed "introduced" versions Aliases: CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323, GHSA-28r2-q6m8-9hpx, GHSA-cjr4-fv6c-f3mv, GHSA-fcgg-rvwg-jv58, GHSA-x24g-9w7v-vprh Updates golang/vulndb#586 Change-Id: Ib93dbfd87ba248172d757733e2bd4dd8995bf102 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/465175 Reviewed-by: Tim King <taking@google.com> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 23:35:42 +03:00			`"introduced": "0"`
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`},`
			`{`
			`"fixed": "2.1.0"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/hashicorp/go-getter/v2"`
			`}`
			`]`
			`}`
data/reports: add vulnerable_at to GO-2022-0586.yaml Also adds missing packages and removes unconfirmed "introduced" versions Aliases: CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323, GHSA-28r2-q6m8-9hpx, GHSA-cjr4-fv6c-f3mv, GHSA-fcgg-rvwg-jv58, GHSA-x24g-9w7v-vprh Updates golang/vulndb#586 Change-Id: Ib93dbfd87ba248172d757733e2bd4dd8995bf102 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/465175 Reviewed-by: Tim King <taking@google.com> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> 2023-02-02 23:35:42 +03:00			`},`
			`{`
			`"package": {`
			`"name": "github.com/hashicorp/go-getter/s3/v2",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "0"`
			`},`
			`{`
			`"fixed": "2.1.0"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/hashicorp/go-getter/s3/v2",`
			`"symbols": [`
			`"Getter.Get",`
			`"Getter.GetFile",`
			`"Getter.Mode"`
			`]`
			`}`
			`]`
			`}`
			`},`
			`{`
			`"package": {`
			`"name": "github.com/hashicorp/go-getter/gcs/v2",`
			`"ecosystem": "Go"`
			`},`
			`"ranges": [`
			`{`
			`"type": "SEMVER",`
			`"events": [`
			`{`
			`"introduced": "0"`
			`},`
			`{`
			`"fixed": "2.1.0"`
			`}`
			`]`
			`}`
			`],`
			`"ecosystem_specific": {`
			`"imports": [`
			`{`
			`"path": "github.com/hashicorp/go-getter/gcs/v2",`
			`"symbols": [`
			`"Getter.Get",`
			`"Getter.GetFile",`
			`"Getter.Mode"`
			`]`
			`}`
			`]`
			`}`
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`}`
			`],`
			`"references": [`
			`{`
			`"type": "ADVISORY",`
			`"url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"`
			`},`
			`{`
			`"type": "FIX",`
			`"url": "https://github.com/hashicorp/go-getter/pull/361"`
			`},`
			`{`
			`"type": "FIX",`
			`"url": "https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48"`
			`},`
			`{`
			`"type": "WEB",`
			`"url": "https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45"`
			`},`
			`{`
			`"type": "WEB",`
			`"url": "https://github.com/hashicorp/go-getter/pull/359"`
			`}`
internal/database: add credits in the osv report - Update `golang.org/x/vuln/osv`. - Output credits in the OSV report from the YAML report. - Update `data/osv` to include `credits`. Fixes golang/go#55956 Change-Id: I8b1a81f33ca7b2832394be316b7d015c8a281220 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/435976 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Auto-Submit: Damien Neil <dneil@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2022-10-01 17:10:57 +03:00			`],`
			`"credits": [`
			`{`
internal/report, all: allow multiple credits in YAML reports Allow multiple credits in YAML reports to move closer to format of OSV and CVEs. Change all the YAML reports to use this new field, and update any OSVs/CVEs that now have multiple credits. Change-Id: I6452cb51614b44c86ec6fa47a7bce68976be8f9e Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/496163 TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> 2023-05-18 23:23:32 +03:00			`"name": "Joern Schneeweisz of GitLab"`
			`},`
			`{`
			`"name": "Alessio Della Libera of Snyk"`
			`},`
			`{`
			`"name": "HashiCorp Product Security"`
internal/database: add credits in the osv report - Update `golang.org/x/vuln/osv`. - Output credits in the OSV report from the YAML report. - Update `data/osv` to include `credits`. Fixes golang/go#55956 Change-Id: I8b1a81f33ca7b2832394be316b7d015c8a281220 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/435976 Reviewed-by: Tatiana Bradley <tatiana@golang.org> Auto-Submit: Damien Neil <dneil@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2022-10-01 17:10:57 +03:00			`}`
internal/report, data/osv: populate schema_version field in osv entries The vulnreport osv command now populates all generated osvs with the current schema version (1.3.1). This CL also updates all previous OSV entries to also have the current schema version. Change-Id: Ie95c91aae0ee623bbf50ff047190a0bbe59893d9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/452440 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Maceo Thompson <maceothompson@google.com> 2022-11-21 21:47:08 +03:00			`],`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`"database_specific": {`
data: apply REVIEWED status to all existing reports and osv Change-Id: I862c5bb24b9c08c29f0d437fd1be61da0319ef0d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/585517 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> 2024-05-14 22:19:00 +03:00			`"url": "https://pkg.go.dev/vuln/GO-2022-0586",`
			`"review_status": "REVIEWED"`
internal/osv, all: move DatabaseSpecific osv field Moves DatabaseSpecific to be a field of the top-level osv.Entry, instead of a subfield of the Affected field. Change-Id: I8c80f8af268b51d57833268b89947838c53e407a Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/481136 Run-TryBot: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> 2023-03-31 23:44:23 +03:00			`}`
data/osv: add OSV entries for all reports Create data/osv, containing the OSV version for all reports. This directory will be used as the source for database generation in the future. Set creation times on all existing reports; future reports will take the creation time from the OSV entry history. Change-Id: Ibe0f3a9fc76c0d4afee8102d6a0fd35c7641e97d Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/430682 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> 2022-09-14 01:40:34 +03:00			`}`