CVE-2022-26945

Name of the Vulnerable Software and Affected Versions HashiCorp go-getter versions 1.5.11 and earlier HashiCorp go-getter versions 2.0.2 and earlier

Description The issue is related to the lack of input data sanitization in the go-getter library, which can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information. Malicious HTTP responses can cause various misbehaviors, including overwriting local files, resource exhaustion, and panics. Specifically, protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. Additionally, arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.

Recommendations For HashiCorp go-getter versions 1.5.11 and earlier, update to version 1.6.1 or later. For HashiCorp go-getter versions 2.0.2 and earlier, update to version 2.1.0 or later. As a temporary workaround, consider restricting access to the go-getter library until a patch is applied. Avoid using the go-getter library to process malicious HTTP responses or password-protected ZIP files until the issue is resolved.