Vulnerabilites related to HashiCorp - Shared library
cve-2025-0377
Vulnerability from cvelistv5
Published
2025-01-21 15:23
Modified
2025-02-12 20:41
Severity ?
EPSS score ?
Summary
HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HashiCorp | Shared library |
Version: 0 ≤ |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-0377", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-21T15:57:06.387281Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-12T20:41:20.897Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux", ], product: "Shared library", repo: "https://github.com/hashicorp/go-slug", vendor: "HashiCorp", versions: [ { lessThan: "0.16.2", status: "affected", version: "0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.</p><br/>", }, ], value: "HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry.", }, ], impacts: [ { capecId: "CAPEC-126", descriptions: [ { lang: "en", value: "CAPEC-126: Path Traversal", }, ], }, ], metrics: [ { cvssV3_1: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-59", description: "CWE-59: Improper Link Resolution Before File Access (Link Following)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-21T15:23:53.104Z", orgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", shortName: "HashiCorp", }, references: [ { url: "https://discuss.hashicorp.com/t/hcsec-2025-01-hashicorp-go-slug-vulnerable-to-zip-slip-attack", }, ], source: { advisory: "HCSEC-2025-01", discovery: "EXTERNAL", }, title: "HashiCorp go-slug Vulnerable to Zip Slip Attack", }, }, cveMetadata: { assignerOrgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", assignerShortName: "HashiCorp", cveId: "CVE-2025-0377", datePublished: "2025-01-21T15:23:53.104Z", dateReserved: "2025-01-10T14:21:11.221Z", dateUpdated: "2025-02-12T20:41:20.897Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-6257
Vulnerability from cvelistv5
Published
2024-06-25 16:31
Modified
2024-08-01 21:33
Severity ?
EPSS score ?
Summary
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HashiCorp | Shared library |
Version: 0 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:hashicorp:shared_library:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "shared_library", vendor: "hashicorp", versions: [ { lessThan: "1.7.4", status: "affected", version: "0", versionType: "semver", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-6257", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-06-25T17:53:59.411597Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-25T17:58:18.630Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T21:33:05.245Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux", ], product: "Shared library", repo: "https://github.com/hashicorp/go-getter", vendor: "HashiCorp", versions: [ { lessThan: "1.7.4", status: "affected", version: "0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.</p><br/>", }, ], value: "HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.", }, ], impacts: [ { capecId: "CAPEC-248", descriptions: [ { lang: "en", value: "CAPEC-248: Command Injection", }, ], }, ], metrics: [ { cvssV3_1: { baseScore: 8.4, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-77", description: "CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-25T16:31:03.882Z", orgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", shortName: "HashiCorp", }, references: [ { url: "https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081", }, ], source: { advisory: "HCSEC-2024-13", discovery: "EXTERNAL", }, title: "HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation", }, }, cveMetadata: { assignerOrgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", assignerShortName: "HashiCorp", cveId: "CVE-2024-6257", datePublished: "2024-06-25T16:31:03.882Z", dateReserved: "2024-06-21T20:12:09.424Z", dateUpdated: "2024-08-01T21:33:05.245Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-6104
Vulnerability from cvelistv5
Published
2024-06-24 17:06
Modified
2024-08-01 21:33
Severity ?
EPSS score ?
Summary
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HashiCorp | Shared library |
Version: 0 ≤ |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-6104", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-06-24T19:19:22.878144Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-24T19:19:28.773Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T21:33:04.395Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://discuss.hashicorp.com/c/security", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux", ], product: "Shared library", repo: "https://github.com/hashicorp/go-retryablehttp", vendor: "HashiCorp", versions: [ { lessThan: "0.7.7", status: "affected", version: "0", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.</p><br/>", }, ], value: "go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.", }, ], impacts: [ { capecId: "CAPEC-118", descriptions: [ { lang: "en", value: "CAPEC-118: Collect and Analyze Information", }, ], }, ], metrics: [ { cvssV3_1: { baseScore: 6, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-532", description: "CWE-532: Insertion of Sensitive Information into Log File", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-24T17:06:21.150Z", orgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", shortName: "HashiCorp", }, references: [ { url: "https://discuss.hashicorp.com/c/security", }, ], source: { advisory: "HCSEC-2024-12", discovery: "EXTERNAL", }, title: "go-retryablehttp can leak basic auth credentials to log files", }, }, cveMetadata: { assignerOrgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", assignerShortName: "HashiCorp", cveId: "CVE-2024-6104", datePublished: "2024-06-24T17:06:21.150Z", dateReserved: "2024-06-17T22:19:58.680Z", dateUpdated: "2024-08-01T21:33:04.395Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-3817
Vulnerability from cvelistv5
Published
2024-04-17 19:37
Modified
2024-08-01 20:20
Severity ?
EPSS score ?
Summary
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HashiCorp | Shared library |
Version: 1.5.9 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:hashicorp:go-getter:1.5.9:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "go-getter", vendor: "hashicorp", versions: [ { lessThan: "1.7.3", status: "affected", version: "1.5.9", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-3817", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-04-23T16:09:26.407809Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:31:04.582Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T20:20:01.607Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", platforms: [ "64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux", ], product: "Shared library", repo: "https://github.com/hashicorp/go-getter", vendor: "HashiCorp", versions: [ { lessThan: "1.7.3", status: "affected", version: "1.5.9", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.</p><br/>", }, ], value: "HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. \n\nThis vulnerability does not affect the go-getter/v2 branch and package.", }, ], impacts: [ { capecId: "CAPEC-248", descriptions: [ { lang: "en", value: "CAPEC-248: Command Injection", }, ], }, ], metrics: [ { cvssV3_1: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-88", description: "CWE-88: Improper Neutralization of Argument Delimiters in a Command (Argument Injection)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-17T19:37:25.878Z", orgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", shortName: "HashiCorp", }, references: [ { url: "https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040", }, ], source: { advisory: "HCSEC-2024-09", discovery: "EXTERNAL", }, title: "HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches", }, }, cveMetadata: { assignerOrgId: "67fedba0-ff2e-4543-ba5b-aa93e87718cc", assignerShortName: "HashiCorp", cveId: "CVE-2024-3817", datePublished: "2024-04-17T19:37:25.878Z", dateReserved: "2024-04-15T14:04:27.869Z", dateUpdated: "2024-08-01T20:20:01.607Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }