CVE-2022-30323

Name of the Vulnerable Software and Affected Versions HashiCorp go-getter versions 1.5.11 and earlier HashiCorp go-getter versions 2.0.2 and earlier

Description The issue concerns the unsafe download handling in HashiCorp go-getter. Malicious HTTP responses can cause various misbehaviors, including overwriting local files, resource exhaustion, and panics. Specifically, protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. Additionally, arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses. Furthermore, a panic can be triggered when go-getter processes password-protected ZIP files.

Recommendations For HashiCorp go-getter versions 1.5.11 and earlier, update to version 1.6.1 or later. For HashiCorp go-getter versions 2.0.2 and earlier, update to version 2.1.0 or later. As a temporary workaround, consider restricting access to the go-getter command until a patch is available. Avoid using go-getter to process malicious HTTP responses or password-protected ZIP files until the issue is resolved.