CVE-2022-26945

HIGH8.6EPSS 0.20%

HashiCorp go-getter unsafe downloads

發布日:2022/5/26修改日:2024/3/15

也稱為:GHSA-28r2-q6m8-9hpx GHSA-cjr4-fv6c-f3mv GHSA-fcgg-rvwg-jv58 GHSA-x24g-9w7v-vprhGO-2022-0586

描述

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

受影響套件(21)

Debian/golang-github-hashicorp-go-getterfrom 0
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getterfrom 0, < 1.6.1
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/gcs/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/s3/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0
Go/github.com/hashicorp/go-getter/v2from 0, < 2.1.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

描述

受影響套件(21)

CVSS 分數

參考連結(15)