зеркало из https://github.com/golang/vulndb.git
171 строка
4.1 KiB
JSON
171 строка
4.1 KiB
JSON
{
|
|
"schema_version": "1.3.1",
|
|
"id": "GO-2022-0586",
|
|
"modified": "0001-01-01T00:00:00Z",
|
|
"published": "2022-05-26T00:01:27Z",
|
|
"aliases": [
|
|
"CVE-2022-26945",
|
|
"CVE-2022-30321",
|
|
"CVE-2022-30322",
|
|
"CVE-2022-30323",
|
|
"GHSA-28r2-q6m8-9hpx",
|
|
"GHSA-cjr4-fv6c-f3mv",
|
|
"GHSA-fcgg-rvwg-jv58",
|
|
"GHSA-x24g-9w7v-vprh"
|
|
],
|
|
"summary": "Resource exhaustion in github.com/hashicorp/go-getter and related modules",
|
|
"details": "Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.\n\n* Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.\n\n* Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.\n\n* Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.\n\n* A panic can be triggered when go-getter processed password-protected ZIP files.",
|
|
"affected": [
|
|
{
|
|
"package": {
|
|
"name": "github.com/hashicorp/go-getter",
|
|
"ecosystem": "Go"
|
|
},
|
|
"ranges": [
|
|
{
|
|
"type": "SEMVER",
|
|
"events": [
|
|
{
|
|
"introduced": "0"
|
|
},
|
|
{
|
|
"fixed": "1.6.1"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"ecosystem_specific": {
|
|
"imports": [
|
|
{
|
|
"path": "github.com/hashicorp/go-getter"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"package": {
|
|
"name": "github.com/hashicorp/go-getter/v2",
|
|
"ecosystem": "Go"
|
|
},
|
|
"ranges": [
|
|
{
|
|
"type": "SEMVER",
|
|
"events": [
|
|
{
|
|
"introduced": "0"
|
|
},
|
|
{
|
|
"fixed": "2.1.0"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"ecosystem_specific": {
|
|
"imports": [
|
|
{
|
|
"path": "github.com/hashicorp/go-getter/v2"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"package": {
|
|
"name": "github.com/hashicorp/go-getter/s3/v2",
|
|
"ecosystem": "Go"
|
|
},
|
|
"ranges": [
|
|
{
|
|
"type": "SEMVER",
|
|
"events": [
|
|
{
|
|
"introduced": "0"
|
|
},
|
|
{
|
|
"fixed": "2.1.0"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"ecosystem_specific": {
|
|
"imports": [
|
|
{
|
|
"path": "github.com/hashicorp/go-getter/s3/v2",
|
|
"symbols": [
|
|
"Getter.Get",
|
|
"Getter.GetFile",
|
|
"Getter.Mode"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"package": {
|
|
"name": "github.com/hashicorp/go-getter/gcs/v2",
|
|
"ecosystem": "Go"
|
|
},
|
|
"ranges": [
|
|
{
|
|
"type": "SEMVER",
|
|
"events": [
|
|
{
|
|
"introduced": "0"
|
|
},
|
|
{
|
|
"fixed": "2.1.0"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"ecosystem_specific": {
|
|
"imports": [
|
|
{
|
|
"path": "github.com/hashicorp/go-getter/gcs/v2",
|
|
"symbols": [
|
|
"Getter.Get",
|
|
"Getter.GetFile",
|
|
"Getter.Mode"
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"type": "ADVISORY",
|
|
"url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
|
|
},
|
|
{
|
|
"type": "FIX",
|
|
"url": "https://github.com/hashicorp/go-getter/pull/361"
|
|
},
|
|
{
|
|
"type": "FIX",
|
|
"url": "https://github.com/hashicorp/go-getter/commit/38e97387488f5439616be60874979433a12edb48"
|
|
},
|
|
{
|
|
"type": "WEB",
|
|
"url": "https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45"
|
|
},
|
|
{
|
|
"type": "WEB",
|
|
"url": "https://github.com/hashicorp/go-getter/pull/359"
|
|
}
|
|
],
|
|
"credits": [
|
|
{
|
|
"name": "Joern Schneeweisz of GitLab"
|
|
},
|
|
{
|
|
"name": "Alessio Della Libera of Snyk"
|
|
},
|
|
{
|
|
"name": "HashiCorp Product Security"
|
|
}
|
|
],
|
|
"database_specific": {
|
|
"url": "https://pkg.go.dev/vuln/GO-2022-0586",
|
|
"review_status": "REVIEWED"
|
|
}
|
|
} |