Bug 2092928 (CVE-2022-26945)

Summary: CVE-2022-26945 go-getter: command injection vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, bdettelb, bmontgom, eglynn, eparis, go-sig, gparvin, jburrell, jjoyce, jokerman, jramanat, ksathe, kurathod, lhh, mburns, njean, nstielau, osoukup, pahickey, rdey, rhos-maint, rkshirsa, security-response-team, sponnaga, spower, sreber, stcannon, tsedovic, vkumar, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 15:02:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2092929, 2100980, 2100981, 2100982, 2100983, 2100984, 2100985, 2100986, 2100987, 2100988, 2100989, 2100990, 2100991, 2100992, 2100993, 2100994, 2100995, 2100996, 2100997, 2100998, 2100999, 2101000, 2101001, 2101002, 2101003, 2101004, 2101005, 2101006, 2101007, 2101008, 2101009, 2101010, 2101011, 2101012, 2101013, 2101014, 2101015, 2101016, 2101017, 2101018, 2101026, 2101027, 2101028    
Bug Blocks: 2092556    

Description Guilherme de Almeida Suckevicz 2022-06-02 14:35:20 UTC 
HashiCorp go-getter before 2.0.2 allows Command Injection.

Reference:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
Comment 1 Guilherme de Almeida Suckevicz 2022-06-02 14:35:37 UTC 
Created golang-github-yujunz-getter tracking bugs for this issue:

Affects: fedora-all [bug 2092929]
Comment 5 errata-xmlrpc 2022-07-20 15:48:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673
Comment 7 errata-xmlrpc 2022-08-10 10:35:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
Comment 8 errata-xmlrpc 2022-08-31 12:33:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6133 https://access.redhat.com/errata/RHSA-2022:6133
Comment 9 errata-xmlrpc 2022-08-31 16:39:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6147 https://access.redhat.com/errata/RHSA-2022:6147
Comment 13 errata-xmlrpc 2022-09-08 05:40:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6258 https://access.redhat.com/errata/RHSA-2022:6258
Comment 14 errata-xmlrpc 2022-09-14 20:38:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6308 https://access.redhat.com/errata/RHSA-2022:6308
Comment 15 errata-xmlrpc 2022-10-12 08:14:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6805 https://access.redhat.com/errata/RHSA-2022:6805
Comment 16 errata-xmlrpc 2022-10-13 07:45:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6801 https://access.redhat.com/errata/RHSA-2022:6801
Comment 17 errata-xmlrpc 2022-10-19 19:51:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6905 https://access.redhat.com/errata/RHSA-2022:6905
Comment 19 errata-xmlrpc 2022-11-02 06:27:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:7201 https://access.redhat.com/errata/RHSA-2022:7201
Comment 20 errata-xmlrpc 2022-11-02 07:25:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:7211 https://access.redhat.com/errata/RHSA-2022:7211
Comment 21 errata-xmlrpc 2022-11-03 05:56:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:7216 https://access.redhat.com/errata/RHSA-2022:7216
Comment 22 errata-xmlrpc 2022-11-18 05:14:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:7874 https://access.redhat.com/errata/RHSA-2022:7874
Comment 24 Product Security DevOps Team 2022-12-07 15:02:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-26945
Comment 26 errata-xmlrpc 2023-01-06 10:37:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:9111 https://access.redhat.com/errata/RHSA-2022:9111