CVE-2022-29810

Reference Links

• https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc
• https://github.com/hashicorp/go-getter/pull/348
• https://github.com/hashicorp/go-getter/releases/tag/v1.5.11
• https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2080283
• https://access.redhat.com/errata/RHSA-2022:4956
• https://access.redhat.com/errata/RHSA-2022:5201
• https://access.redhat.com/errata/RHSA-2022:5392
• https://access.redhat.com/errata/RHSA-2022:5069
• https://access.redhat.com/errata/RHSA-2022:6156
• https://access.redhat.com/security/cve/cve-2022-29810
• https://bugzilla.redhat.com/show_bug.cgi?id=2080279
• https://www.cve.org/CVERecord?id=CVE-2022-29810 https://nvd.nist.gov/vuln/detail/CVE-2022-29810 https://github.com/golang/vulndb/issues/438

Parent vulnerabilities

(Appears in the following advisories)

• RHSA-2022:5392
• RHSA-2022:4956
• RHSA-2022:5069
• RHSA-2022:6156

Frequently Asked Questions

• What is CVE-2022-29810?

  CVE-2022-29810 is a vulnerability in the Hashicorp go-getter library before 1.5.11 that does not redact an SSH key from a URL query parameter.

• What is the severity of CVE-2022-29810?

  The severity of CVE-2022-29810 is medium with a severity value of 5.1.

• How does CVE-2022-29810 affect the software?

  CVE-2022-29810 affects the Hashicorp go-getter library before 1.5.11 and the HashiCorp go-getter package with versions up to 1.5.11.

• What is the impact of CVE-2022-29810?

  The impact of CVE-2022-29810 is that a local user with access to read log files may be able to read sensitive credentials, potentially leading to privilege escalation or account takeover.

• How can CVE-2022-29810 be fixed?

  To fix CVE-2022-29810, update the Hashicorp go-getter library to version 1.5.11 or later.