Bug 2092918 (CVE-2022-30321) - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
Summary: CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)
Keywords:
Status: NEW
Alias: CVE-2022-30321
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2092922 2100980 2100981 2100982 2100983 2100984 2100985 2100986 2100987 2100988 2100989 2100990 2100991 2100992 2100993 2100994 2100995 2100996 2100997 2100998 2100999 2101000 2101001 2101002 2101003 2101004 2101005 2101006 2101007 2101008 2101009 2101010 2101011 2101012 2101013 2101014 2101015 2101016 2101017 2101018 2101026 2101027 2101028
Blocks: 2092556
TreeView+ depends on / blocked
 
Reported: 2022-06-02 14:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-07-25 08:30 UTC (History)
27 users (show)

Fixed In Version: github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-getter. Several vulnerabilities were identified in the way go-getter processes HTTP responses, response headers, and password-protected ZIP files. This flaw allows an attacker to bypass certain configuration settings and may lead to a denial of service.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5673 0 None None None 2022-07-20 15:48:40 UTC

Description Guilherme de Almeida Suckevicz 2022-06-02 14:25:44 UTC 
HashiCorp go-getter through 2.0.2 does not safely perform downloads (issue 1 of 3).

References:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
https://github.com/hashicorp/go-getter/releases
Comment 1 Guilherme de Almeida Suckevicz 2022-06-02 14:30:37 UTC 
Created golang-github-yujunz-getter tracking bugs for this issue:

Affects: fedora-all [bug 2092922]
Comment 5 Maxwell G 2022-06-27 18:10:34 UTC 
What's the point of the three duplicate issues[1]? Is there something that I'm missing here?

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=2092918 https://bugzilla.redhat.com/show_bug.cgi?id=2092923 https://bugzilla.redhat.com/show_bug.cgi?id=2092925
Comment 6 Maxwell G 2022-06-27 18:12:42 UTC 
(In reply to Maxwell G from comment #5)
> What's the point of the three duplicate issues[1]? Is there something that
> I'm missing here?
> 
> [1]: https://bugzilla.redhat.com/show_bug.cgi?id=2092918
> https://bugzilla.redhat.com/show_bug.cgi?id=2092923
> https://bugzilla.redhat.com/show_bug.cgi?id=2092925

Ah, I guess there are three different CVEs surrounding unsafe downloads. I did not look closely at the CVE numbers. Feel free to disregard this.
Comment 7 errata-xmlrpc 2022-07-20 15:48:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5673 https://access.redhat.com/errata/RHSA-2022:5673
Note You need to log in before you can comment on or make changes to this bug.