This repository was archived by the owner on Jan 3, 2023. It is now read-only.
This repository was archived by the owner on Jan 3, 2023. It is now read-only.
CVE-2022-30321 (High) detected in github.com/hashicorp/go-getter-v1.4.0 #10
Description
CVE-2022-30321 - High Severity Vulnerability
Vulnerable Library - github.com/hashicorp/go-getter-v1.4.0
Package for downloading things from a string URL using a variety of protocols.
Library home page: https://proxy.golang.org/github.com/hashicorp/go-getter/@v/v1.4.0.zip
Dependency Hierarchy:
- github.com/hashicorp/terraform-plugin-sdk/helper/schema-v1.2.0 (Root Library)
- github.com/hashicorp/terraform-plugin-sdk/terraform-v1.2.0
- github.com/hashicorp/terraform-plugin-sdk/internal/moduledeps-v1.2.0
- github.com/hashicorp/terraform-plugin-sdk/internal/plugin/discovery-v1.2.0
- ❌ github.com/hashicorp/go-getter-v1.4.0 (Vulnerable Library)
- github.com/hashicorp/terraform-plugin-sdk/internal/plugin/discovery-v1.2.0
- github.com/hashicorp/terraform-plugin-sdk/internal/moduledeps-v1.2.0
- github.com/hashicorp/terraform-plugin-sdk/terraform-v1.2.0
Vulnerability Details
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
Publish Date: 2022-05-25
URL: CVE-2022-30321
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
Release Date: 2022-05-25
Fix Resolution: v2.1.0
Step up your Open Source Security Game with Mend here