CVE-2022-26945: Command Injection
First published: Tue May 24 2022(Updated: )
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/github.com/hashicorp/go-getter | <1.6.1 | 1.6.1 |
| redhat/github.com/hashicorp/go-getter | <2.1.0 | 2.1.0 |
| HashiCorp Go-Getter | <=1.5.11 | |
| HashiCorp Go-Getter | =2.0.2 |
Remedy
The fix includes new configuration options to help limit the security exposure and have more secure defaults.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://discuss.hashicorp.com
- https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2092929
- https://access.redhat.com/errata/RHSA-2022:5673
- https://access.redhat.com/errata/RHSA-2022:5069
- https://access.redhat.com/errata/RHSA-2022:6133
- https://access.redhat.com/errata/RHSA-2022:6147
- https://access.redhat.com/errata/RHSA-2022:6258
- https://access.redhat.com/errata/RHSA-2022:6308
- https://access.redhat.com/errata/RHSA-2022:6805
- https://access.redhat.com/errata/RHSA-2022:6801
- https://access.redhat.com/errata/RHSA-2022:6905
- https://access.redhat.com/errata/RHSA-2022:7201
- https://access.redhat.com/errata/RHSA-2022:7211
- https://access.redhat.com/errata/RHSA-2022:7216
- https://access.redhat.com/errata/RHSA-2022:7874
- https://access.redhat.com/security/cve/cve-2022-26945
- https://access.redhat.com/errata/RHSA-2022:9111
- https://bugzilla.redhat.com/show_bug.cgi?id=2092928
- https://www.cve.org/CVERecord?id=CVE-2022-26945 https://nvd.nist.gov/vuln/detail/CVE-2022-26945 https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for go-getter?
The vulnerability ID for go-getter is CVE-2022-26945.
What is the severity level of CVE-2022-26945?
The severity level of CVE-2022-26945 is critical with a CVSS score of 9.8.
What is affected by CVE-2022-26945?
HashiCorp go-getter versions up to 1.5.11 and 2.0.2 are affected by CVE-2022-26945.
How can an attacker exploit CVE-2022-26945?
An attacker can exploit CVE-2022-26945 by misusing go-getter to execute commands on the host.
How can I fix CVE-2022-26945?
To fix CVE-2022-26945, update HashiCorp go-getter to version 1.6.1 or 2.1.0.
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-26945
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/redhat
- vendor/hashicorp
- canonical/hashicorp go-getter
- version/hashicorp go-getter/1.5.11
- version/hashicorp go-getter/2.0.2