CVE-2022-30321

High

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection…

mitre·CWE-22·Published 2022-05-25

CVSS

8.6

EPSS

0.03

KEV

Exploits

cve.orgen

167 chars

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.

NVDen

167 chars

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.

Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics. * Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. * Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. * Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses. * A panic can be triggered when go-getter processed password-protected ZIP files.

GHSAen

198 chars

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

NVDes

210 chars

go-getter hasta 1.5.11 y 2.0.2 permitía el acceso arbitrario al host a través del recorrido de go-getter, el procesamiento de enlaces simbólicos y los fallos de inyección de comandos. Corregido en 1.6.1 y 2.1.0

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	7.5	10.0	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
3.1	Primary	NVD	8.6	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
3.1	Secondary	GHSA	8.6	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H