vulndb/data/reports/GO-2022-0438.yaml

id: GO-2022-0438
modules:
  - module: github.com/hashicorp/go-getter
    versions:
      - fixed: 1.5.11
    vulnerable_at: 1.5.10
    packages:
      - package: github.com/hashicorp/go-getter
        symbols:
          - RedactURL
        derived_symbols:
          - Client.ChecksumFromFile
          - Client.Get
          - FolderStorage.Get
          - Get
          - GetAny
          - GetFile
          - HttpGetter.Get
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
    The getter package can write SSH credentials to its logfile,
    exposing credentials to local users able to read the logfile.    
published: 2022-07-01T20:07:52Z
cves:
  - CVE-2022-29810
ghsas:
  - GHSA-27rq-4943-qcwp
references:
  - fix: https://github.com/hashicorp/go-getter/pull/348
  - fix: https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc
  - web: https://github.com/hashicorp/go-getter/releases/tag/v1.5.11