CVE-2022-30322

Name of the Vulnerable Software and Affected Versions HashiCorp go-getter versions 1.5.11 and earlier, 2.0.2 and earlier

Description The issue allows for asymmetric resource exhaustion when processing malicious HTTP responses. It also enables protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Additionally, arbitrary host access is possible through path traversal, symlink processing, and command injection flaws. Malicious HTTP responses can cause misbehaviors, including overwriting local files, resource exhaustion, and panics. A panic can be triggered when processing password-protected ZIP files.

Recommendations For versions 1.5.11 and earlier, update to version 1.6.1 or later. For version 2.0.2, update to version 2.1.0 or later. As a temporary workaround, consider restricting access to the go-getter function until a patch is available. Avoid using go-getter to process malicious HTTP responses until the issue is resolved.