Bug 2092928 (CVE-2022-26945) - CVE-2022-26945 go-getter: command injection vulnerability
Summary: CVE-2022-26945 go-getter: command injection vulnerability
Keywords:
Status: NEW
Alias: CVE-2022-26945
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2092929 2100980 2100981 2100982 2100983 2100984 2100985 2100986 2100987 2100988 2100989 2100990 2100991 2100992 2100993 2100994 2100995 2100996 2100997 2100998 2100999 2101000 2101001 2101002 2101003 2101004 2101005 2101006 2101007 2101008 2101009 2101010 2101011 2101012 2101013 2101014 2101015 2101016 2101017 2101018 2101026 2101027 2101028
Blocks: 2092556
TreeView+ depends on / blocked
 
Reported: 2022-06-02 14:35 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-08-02 16:12 UTC (History)
23 users (show)

Fixed In Version: github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5673 0 None None None 2022-07-20 15:48:45 UTC

Description Guilherme de Almeida Suckevicz 2022-06-02 14:35:20 UTC
HashiCorp go-getter before 2.0.2 allows Command Injection.

Reference:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930

Comment 1 Guilherme de Almeida Suckevicz 2022-06-02 14:35:37 UTC
Created golang-github-yujunz-getter tracking bugs for this issue:

Affects: fedora-all [bug 2092929]

Comment 5 errata-xmlrpc 2022-07-20 15:48:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673


Note You need to log in before you can comment on or make changes to this bug.