Bug 2092918 (CVE-2022-30321) - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
Summary: CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-30321
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2092922 2100980 2100981 2100982 2100983 2100984 2100985 2100986 2100987 2100988 2100989 2100990 2100991 2100992 2100993 2100994 2100995 2100996 2100997 2100998 2100999 2101000 2101001 2101002 2101003 2101004 2101005 2101006 2101007 2101008 2101009 2101010 2101011 2101012 2101013 2101014 2101015 2101016 2101017 2101018 2101026 2101027 2101028
Blocks: 2092556
TreeView+ depends on / blocked
 
Reported: 2022-06-02 14:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-01-10 22:02 UTC (History)
28 users (show)

Fixed In Version: github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.
Clone Of:
Environment:
Last Closed: 2022-12-07 13:32:53 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:35:13 UTC
Red Hat Product Errata RHSA-2022:5673 0 None None None 2022-07-20 15:48:40 UTC
Red Hat Product Errata RHSA-2022:6133 0 None None None 2022-08-31 12:33:16 UTC
Red Hat Product Errata RHSA-2022:6147 0 None None None 2022-08-31 16:39:34 UTC
Red Hat Product Errata RHSA-2022:6258 0 None None None 2022-09-08 05:40:47 UTC
Red Hat Product Errata RHSA-2022:6308 0 None None None 2022-09-14 20:38:35 UTC
Red Hat Product Errata RHSA-2022:6801 0 None None None 2022-10-13 07:45:13 UTC
Red Hat Product Errata RHSA-2022:6805 0 None None None 2022-10-12 08:14:23 UTC
Red Hat Product Errata RHSA-2022:6905 0 None None None 2022-10-19 19:50:46 UTC
Red Hat Product Errata RHSA-2022:7201 0 None None None 2022-11-02 06:27:08 UTC
Red Hat Product Errata RHSA-2022:7211 0 None None None 2022-11-02 07:25:08 UTC
Red Hat Product Errata RHSA-2022:7216 0 None None None 2022-11-03 05:56:04 UTC
Red Hat Product Errata RHSA-2022:7874 0 None None None 2022-11-18 05:14:56 UTC
Red Hat Product Errata RHSA-2022:9111 0 None None None 2023-01-06 10:37:56 UTC

Description Guilherme de Almeida Suckevicz 2022-06-02 14:25:44 UTC 
HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 1 of 3).

References:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
https://github.com/hashicorp/go-getter/releases
Comment 1 Guilherme de Almeida Suckevicz 2022-06-02 14:30:37 UTC 
Created golang-github-yujunz-getter tracking bugs for this issue:

Affects: fedora-all [bug 2092922]
Comment 5 Maxwell G 2022-06-27 18:10:34 UTC 
What's the point of the three duplicate issues[1]? Is there something that I'm missing here?

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=2092918 https://bugzilla.redhat.com/show_bug.cgi?id=2092923 https://bugzilla.redhat.com/show_bug.cgi?id=2092925
Comment 6 Maxwell G 2022-06-27 18:12:42 UTC 
(In reply to Maxwell G from comment #5)
> What's the point of the three duplicate issues[1]? Is there something that
> I'm missing here?
> 
> [1]: https://bugzilla.redhat.com/show_bug.cgi?id=2092918
> https://bugzilla.redhat.com/show_bug.cgi?id=2092923
> https://bugzilla.redhat.com/show_bug.cgi?id=2092925

Ah, I guess there are three different CVEs surrounding unsafe downloads. I did not look closely at the CVE numbers. Feel free to disregard this.
Comment 7 errata-xmlrpc 2022-07-20 15:48:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673
Comment 9 errata-xmlrpc 2022-08-10 10:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
Comment 10 errata-xmlrpc 2022-08-31 12:33:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6133 https://access.redhat.com/errata/RHSA-2022:6133
Comment 11 errata-xmlrpc 2022-08-31 16:39:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6147 https://access.redhat.com/errata/RHSA-2022:6147
Comment 12 errata-xmlrpc 2022-09-08 05:40:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6258 https://access.redhat.com/errata/RHSA-2022:6258
Comment 13 Maxwell G 2022-09-08 14:43:39 UTC 
I am removing myself from this issue. Please see https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/ETPDV57SDTABYN6P6MGRZWRRCXVFLPZD/ for a discussion on how prodsec can properly deal with Fedora vulnerabilities.
Comment 14 errata-xmlrpc 2022-09-14 20:38:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6308 https://access.redhat.com/errata/RHSA-2022:6308
Comment 15 errata-xmlrpc 2022-10-12 08:14:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:6805 https://access.redhat.com/errata/RHSA-2022:6805
Comment 16 errata-xmlrpc 2022-10-13 07:45:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:6801 https://access.redhat.com/errata/RHSA-2022:6801
Comment 17 errata-xmlrpc 2022-10-19 19:50:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:6905 https://access.redhat.com/errata/RHSA-2022:6905
Comment 19 errata-xmlrpc 2022-11-02 06:27:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:7201 https://access.redhat.com/errata/RHSA-2022:7201
Comment 20 errata-xmlrpc 2022-11-02 07:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:7211 https://access.redhat.com/errata/RHSA-2022:7211
Comment 21 errata-xmlrpc 2022-11-03 05:56:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:7216 https://access.redhat.com/errata/RHSA-2022:7216
Comment 22 errata-xmlrpc 2022-11-18 05:14:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:7874 https://access.redhat.com/errata/RHSA-2022:7874
Comment 24 Product Security DevOps Team 2022-12-07 13:32:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-30321
Comment 26 errata-xmlrpc 2023-01-06 10:37:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:9111 https://access.redhat.com/errata/RHSA-2022:9111
Note You need to log in before you can comment on or make changes to this bug.