2092928 – (CVE-2022-26945) CVE-2022-26945 go-getter: command injection vulnerability

Bug 2092928 (CVE-2022-26945) - CVE-2022-26945 go-getter: command injection vulnerability

Summary: CVE-2022-26945 go-getter: command injection vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2022-26945
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2092929 2100980 2100981 2100982 2100983 2100984 2100985 2100986 2100987 2100988 2100989 2100990 2100991 2100992 2100993 2100994 2100995 2100996 2100997 2100998 2100999 2101000 2101001 2101002 2101003 2101004 2101005 2101006 2101007 2101008 2101009 2101010 2101011 2101012 2101013 2101014 2101015 2101016 2101017 2101018 2101026 2101027 2101028
Blocks:	2092556
TreeView+	depends on / blocked

Reported:	2022-06-02 14:35 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-08-02 16:12 UTC (History)
CC List:	23 users (show)
Fixed In Version:	github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5673	0	None	None	None	2022-07-20 15:48:45 UTC

Description Guilherme de Almeida Suckevicz 2022-06-02 14:35:20 UTC

HashiCorp go-getter before 2.0.2 allows Command Injection.

Reference:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930

Comment 1 Guilherme de Almeida Suckevicz 2022-06-02 14:35:37 UTC

Created golang-github-yujunz-getter tracking bugs for this issue:

Affects: fedora-all [bug 2092929]

Comment 5 errata-xmlrpc 2022-07-20 15:48:44 UTC

This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673

Note You need to log in before you can comment on or make changes to this bug.

amctagga
bdettelb
bmontgom
eglynn
eparis
go-sig
gparvin
jburrell
jjoyce
jokerman
jramanat
lhh
mburns
njean
nstielau
pahickey
rhos-maint
sponnaga
spower
stcannon
tsedovic
vkumar
zebob.m