csaf_redhat - rhsa-2022

rhsa-2022_5673

Vulnerability from csaf_redhat

Published

2022-07-20 15:48

Modified

2024-09-18 14:41

Summary

Red Hat Security Advisory: Release of containers for OSP 16.2.z director operator tech preview

Notes

Topic

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.

Details

Release osp-director-operator images Security Fix(es): * go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321) * go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322) * go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323) * go-getter: command injection vulnerability [Important] (CVE-2022-26945) * golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565) * containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Release osp-director-operator images\n\nSecurity Fix(es):\n\n* go-getter: unsafe download (issue 1 of 3) [Important] (CVE-2022-30321)\n* go-getter: unsafe download (issue 2 of 3) [Important] (CVE-2022-30322)\n* go-getter: unsafe download (issue 3 of 3) [Important] (CVE-2022-30323)\n* go-getter: command injection vulnerability [Important] (CVE-2022-26945)\n* golang.org/x/crypto: empty plaintext packet causes panic [Moderate] (CVE-2021-43565)\n* containerd: insufficiently restricted permissions on container root and plugin directories [Moderate] (CVE-2021-41103)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:5673",
        "url": "https://access.redhat.com/errata/RHSA-2022:5673"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/errata/RHSA-2022:4991",
        "url": "https://access.redhat.com/errata/RHSA-2022:4991"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/containers",
        "url": "https://access.redhat.com/containers"
      },
      {
        "category": "external",
        "summary": "2011007",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011007"
      },
      {
        "category": "external",
        "summary": "2030787",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030787"
      },
      {
        "category": "external",
        "summary": "2092918",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092918"
      },
      {
        "category": "external",
        "summary": "2092923",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092923"
      },
      {
        "category": "external",
        "summary": "2092925",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092925"
      },
      {
        "category": "external",
        "summary": "2092928",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092928"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_5673.json"
      }
    ],
    "title": "Red Hat Security Advisory: Release of containers for OSP 16.2.z director operator tech preview",
    "tracking": {
      "current_release_date": "2024-09-18T14:41:45+00:00",
      "generator": {
        "date": "2024-09-18T14:41:45+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2022:5673",
      "initial_release_date": "2022-07-20T15:48:31+00:00",
      "revision_history": [
        {
          "date": "2022-07-20T15:48:31+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-07-20T15:48:31+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-18T14:41:45+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenStack Platform 16.2",
                "product": {
                  "name": "Red Hat OpenStack Platform 16.2",
                  "product_id": "8Base-RHOS-16.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:16.2::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-downloader\u0026tag=1.2.3-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-operator-bundle\u0026tag=1.2.3-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                "product": {
                  "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                  "product_id": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022?arch=amd64\u0026repository_url=registry.redhat.io/rhosp-rhel8-tech-preview/osp-director-operator\u0026tag=1.2.3-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64 as a component of Red Hat OpenStack Platform 16.2",
          "product_id": "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        },
        "product_reference": "rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64",
        "relates_to_product_reference": "8Base-RHOS-16.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-41103",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2021-10-04T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2011007"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the containerd package. Containerd could allow a local authenticated attacker to traverse directories on the system, due to improper restricted permissions on the container root and plugin directories. This issue could allow an attacker to send a specially-crafted request containing \"dot dot\" sequences (/../) to view directory contents and execute programs.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "containerd: insufficiently restricted permissions on container root and plugin directories",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-41103"
        },
        {
          "category": "external",
          "summary": "RHBZ#2011007",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011007"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-41103",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-41103"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41103"
        }
      ],
      "release_date": "2021-10-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "containerd: insufficiently restricted permissions on container root and plugin directories"
    },
    {
      "cve": "CVE-2021-43565",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2021-12-07T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2030787"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "There\u0027s an input validation flaw in golang.org/x/crypto\u0027s readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/crypto: empty plaintext packet causes panic",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "go-toolset shipped with Red Hat Developer Tools - Compilers and golang shipped with Red Hat Enterprise Linux 8 are not affected by this flaw because they do not ship the vulnerable code.\n\nThis flaw was rated to have a Moderate impact because it is not shipped in the Golang standard library and thus has a reduced impact to products compared with other flaws of this type.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-43565"
        },
        {
          "category": "external",
          "summary": "RHBZ#2030787",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030787"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43565",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43565"
        }
      ],
      "release_date": "2021-12-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang.org/x/crypto: empty plaintext packet causes panic"
    },
    {
      "cve": "CVE-2022-26945",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092928"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: command injection vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092928",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092928"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-26945",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-26945",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26945"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: command injection vulnerability"
    },
    {
      "cve": "CVE-2022-30321",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092918"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 1 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092918",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092918"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30321",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30321",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30321"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 1 of 3)"
    },
    {
      "cve": "CVE-2022-30322",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092923"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 2 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092923",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092923"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30322",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30322",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30322"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 2 of 3)"
    },
    {
      "cve": "CVE-2022-30323",
      "cwe": {
        "id": "CWE-229",
        "name": "Improper Handling of Values"
      },
      "discovery_date": "2022-05-25T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2092925"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "go-getter: unsafe download (issue 3 of 3)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
        ],
        "known_not_affected": [
          "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "RHBZ#2092925",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092925"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30323",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30323",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30323"
        },
        {
          "category": "external",
          "summary": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "release_date": "2022-05-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "OSP 16.2 Release - OSP Director Operator Containers tech preview",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5673"
        },
        {
          "category": "workaround",
          "details": "The fix includes new configuration options to help limit the security exposure and have more secure defaults.",
          "product_ids": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator-bundle@sha256:aa9e37b43a57edcad97584248c7a47bb819d3b558520610b0bd4ffaaa800e42d_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-downloader@sha256:076a67e9290c311aa8be3c24b4c512957e24c8aab698f1b56469dd5233f408f1_amd64",
            "8Base-RHOS-16.2:rhosp-rhel8-tech-preview/osp-director-operator@sha256:093ae2ef7b3a802a70e1e9e28edaf35a01a76bbc701d00fecdf4bedb9891f022_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "go-getter: unsafe download (issue 3 of 3)"
    }
  ]
}

cve-2022-26945

Vulnerability from cvelistv5

Published

2022-05-25 11:19

Modified

2024-08-03 05:18

Severity

Summary

go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.

References

URL	Tags
https://discuss.hashicorp.com	x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930	x_refsource_MISC

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:18:38.351Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T21:31:38",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-26945",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-26945",
    "datePublished": "2022-05-25T11:19:48",
    "dateReserved": "2022-03-12T00:00:00",
    "dateUpdated": "2024-08-03T05:18:38.351Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-30323

Vulnerability from cvelistv5

Published

2022-05-25 11:19

Modified

2024-08-03 06:48

Severity

Summary

go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.

References

URL	Tags
https://discuss.hashicorp.com	x_refsource_MISC
https://github.com/hashicorp/go-getter/releases	x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930	x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/	x_refsource_MISC

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:48:35.599Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hashicorp/go-getter/releases"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T23:10:10",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hashicorp/go-getter/releases"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-30323",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://github.com/hashicorp/go-getter/releases",
              "refsource": "MISC",
              "url": "https://github.com/hashicorp/go-getter/releases"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-30323",
    "datePublished": "2022-05-25T11:19:30",
    "dateReserved": "2022-05-07T00:00:00",
    "dateUpdated": "2024-08-03T06:48:35.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-41103

Vulnerability from cvelistv5

Published

2021-10-04 00:00

Modified

2024-08-04 02:59

Severity

5.9 (Medium) - cvssV3_0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Summary

Insufficiently restricted permissions on plugin directories

References

URL	Tags
https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq
https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/	vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/	vendor-advisory
https://www.debian.org/security/2021/dsa-5002	vendor-advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
https://security.gentoo.org/glsa/202401-31	vendor-advisory

Impacted products

Vendor	Product
containerd	containerd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.538Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8"
          },
          {
            "name": "FEDORA-2021-df975338d4",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/"
          },
          {
            "name": "FEDORA-2021-b5a9a481a2",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/"
          },
          {
            "name": "DSA-5002",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-5002"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf"
          },
          {
            "name": "GLSA-202401-31",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202401-31"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.5.0, \u003c 1.5.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-31T13:06:20.094638",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq"
        },
        {
          "url": "https://github.com/containerd/containerd/commit/5b46e404f6b9f661a205e28d59c982d3634148f8"
        },
        {
          "name": "FEDORA-2021-df975338d4",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNFADTCHHYWVM6W4NJ6CB4FNFM2VMBIB/"
        },
        {
          "name": "FEDORA-2021-b5a9a481a2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B5Q6G6I4W5COQE25QMC7FJY3I3PAYFBB/"
        },
        {
          "name": "DSA-5002",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-5002"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf"
        },
        {
          "name": "GLSA-202401-31",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202401-31"
        }
      ],
      "source": {
        "advisory": "GHSA-c2h3-6mxw-7mvq",
        "discovery": "UNKNOWN"
      },
      "title": "Insufficiently restricted permissions on plugin directories"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41103",
    "datePublished": "2021-10-04T00:00:00",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T02:59:31.538Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-43565

Vulnerability from cvelistv5

Published

2022-09-06 17:03

Modified

2024-08-04 04:03

Severity

Summary

The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

References

URL	Tags
https://groups.google.com/forum/#%21forum/golang-announce	x_refsource_MISC
https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:03:07.828Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21forum/golang-announce"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-06T17:03:42",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/forum/#%21forum/golang-announce"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-43565",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://groups.google.com/forum/#!forum/golang-announce",
              "refsource": "MISC",
              "url": "https://groups.google.com/forum/#!forum/golang-announce"
            },
            {
              "name": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-43565",
    "datePublished": "2022-09-06T17:03:42",
    "dateReserved": "2021-11-09T00:00:00",
    "dateUpdated": "2024-08-04T04:03:07.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-30322

Vulnerability from cvelistv5

Published

2022-05-25 11:19

Modified

2024-08-03 06:48

Severity

Summary

go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.

References

URL	Tags
https://discuss.hashicorp.com	x_refsource_MISC
https://github.com/hashicorp/go-getter/releases	x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930	x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/	x_refsource_MISC

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:48:35.602Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hashicorp/go-getter/releases"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T23:05:55",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hashicorp/go-getter/releases"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-30322",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://github.com/hashicorp/go-getter/releases",
              "refsource": "MISC",
              "url": "https://github.com/hashicorp/go-getter/releases"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-30322",
    "datePublished": "2022-05-25T11:19:35",
    "dateReserved": "2022-05-07T00:00:00",
    "dateUpdated": "2024-08-03T06:48:35.602Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-30321

Vulnerability from cvelistv5

Published

2022-05-25 11:19

Modified

2024-08-03 06:48

Severity

Summary

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.

References

URL	Tags
https://discuss.hashicorp.com	x_refsource_MISC
https://github.com/hashicorp/go-getter/releases	x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930	x_refsource_MISC

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T06:48:35.687Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/hashicorp/go-getter/releases"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T21:35:58",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hashicorp/go-getter/releases"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-30321",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.hashicorp.com",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com"
            },
            {
              "name": "https://github.com/hashicorp/go-getter/releases",
              "refsource": "MISC",
              "url": "https://github.com/hashicorp/go-getter/releases"
            },
            {
              "name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930",
              "refsource": "MISC",
              "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-30321",
    "datePublished": "2022-05-25T11:19:42",
    "dateReserved": "2022-05-07T00:00:00",
    "dateUpdated": "2024-08-03T06:48:35.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2022_5673

Vulnerability from csaf_redhat

cve-2022-26945

Vulnerability from cvelistv5

cve-2022-30323

Vulnerability from cvelistv5

cve-2021-41103

Vulnerability from cvelistv5

cve-2021-43565

Vulnerability from cvelistv5

cve-2022-30322

Vulnerability from cvelistv5

cve-2022-30321

Vulnerability from cvelistv5

Tags