CVE-2022-30321

Name of the Vulnerable Software and Affected Versions HashiCorp go-getter versions 1.5.11 and earlier, 2.0.2 and earlier HashiCorp go-getter versions up to 2.0.2

Description The issue allows for arbitrary host access via path traversal, symlink processing, and command injection flaws. It also enables protocol switching, endless redirect, and configuration bypass through abuse of custom HTTP response header processing. Additionally, asymmetric resource exhaustion can occur when processing malicious HTTP responses. Malicious HTTP responses can cause misbehaviors, including overwriting local files, resource exhaustion, and panics.

Recommendations For HashiCorp go-getter versions 1.5.11 and earlier, update to version 1.6.1 or later. For HashiCorp go-getter versions 2.0.2 and earlier, update to version 2.1.0 or later. As a temporary workaround, consider restricting the use of go-getter until a patch is applied. Avoid using go-getter to process malicious or untrusted HTTP responses.