Bug 2092925 (CVE-2022-30323)

Summary:	CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)
Product:	[Other] Security Response	Reporter:	Guilherme de Almeida Suckevicz <gsuckevi>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	amctagga, bdettelb, bmontgom, eglynn, eparis, go-sig, gparvin, jburrell, jjoyce, jokerman, jramanat, lhh, mburns, njean, nstielau, pahickey, rdey, rhos-maint, sponnaga, spower, stcannon, tsedovic, vkumar, zebob.m
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in go-getter. Several vulnerabilities were identified in how go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-12-07 14:33:11 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2092926, 2100980, 2100981, 2100982, 2100983, 2100984, 2100985, 2100986, 2100987, 2100988, 2100989, 2100990, 2100991, 2100992, 2100993, 2100994, 2100995, 2100996, 2100997, 2100998, 2100999, 2101000, 2101001, 2101002, 2101003, 2101004, 2101005, 2101006, 2101007, 2101008, 2101009, 2101010, 2101011, 2101012, 2101013, 2101014, 2101015, 2101016, 2101017, 2101018, 2101026, 2101027, 2101028
Bug Blocks:	2092556

Description Guilherme de Almeida Suckevicz 2022-06-02 14:32:48 UTC

HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 3 of 3).

References:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
https://github.com/hashicorp/go-getter/releases

Comment 1 Guilherme de Almeida Suckevicz 2022-06-02 14:33:05 UTC

Created golang-github-yujunz-getter tracking bugs for this issue:

Affects: fedora-all [bug 2092926]

Comment 5 errata-xmlrpc 2022-07-20 15:48:43 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673

Comment 7 errata-xmlrpc 2022-08-10 10:35:23 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069

Comment 8 errata-xmlrpc 2022-08-31 12:33:16 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6133 https://access.redhat.com/errata/RHSA-2022:6133

Comment 9 errata-xmlrpc 2022-08-31 16:39:36 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6147 https://access.redhat.com/errata/RHSA-2022:6147

Comment 10 errata-xmlrpc 2022-09-08 05:40:44 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6258 https://access.redhat.com/errata/RHSA-2022:6258

Comment 11 errata-xmlrpc 2022-09-14 20:38:41 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6308 https://access.redhat.com/errata/RHSA-2022:6308

Comment 12 errata-xmlrpc 2022-10-12 08:15:31 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6805 https://access.redhat.com/errata/RHSA-2022:6805

Comment 13 errata-xmlrpc 2022-10-13 07:45:10 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6801 https://access.redhat.com/errata/RHSA-2022:6801

Comment 14 errata-xmlrpc 2022-10-19 19:50:46 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6905 https://access.redhat.com/errata/RHSA-2022:6905

Comment 16 errata-xmlrpc 2022-11-02 06:27:07 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:7201 https://access.redhat.com/errata/RHSA-2022:7201

Comment 17 errata-xmlrpc 2022-11-02 07:25:19 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:7211 https://access.redhat.com/errata/RHSA-2022:7211

Comment 18 errata-xmlrpc 2022-11-03 05:56:01 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:7216 https://access.redhat.com/errata/RHSA-2022:7216

Comment 19 errata-xmlrpc 2022-11-18 05:14:55 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:7874 https://access.redhat.com/errata/RHSA-2022:7874

Comment 20 Product Security DevOps Team 2022-12-07 14:33:07 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30323

Comment 22 errata-xmlrpc 2023-01-06 10:37:54 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:9111 https://access.redhat.com/errata/RHSA-2022:9111