Go Getter
CVE-2022-30321
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Lifecycle Timeline
1DescriptionNVD
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
AnalysisAI
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. Affected products include: Hashicorp Go-Getter. Version information: up to 1.5.11.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. Rated
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of cus
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configura
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Rated high severity (CVSS 8.6),
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP response
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Rated medium severity (CVSS 6.5), this v
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter. Rated medium severi
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized rea
Same weakness CWE-22 – Path Traversal
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today