Lucene search

K
osvGoogleOSV:GO-2022-0586
HistoryMay 26, 2022 - 12:01 a.m.

Resource exhaustion in github.com/hashicorp/go-getter and related modules

2022-05-2600:01:27
Google
osv.dev
14
malicious http responses
local file overwrite
protocol switching
path traversal
command injection
resource exhaustion
panic
password-protected zip

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

61.4%

Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics.

  • Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing.

  • Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws.

  • Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses.

  • A panic can be triggered when go-getter processed password-protected ZIP files.

AI Score

9.3

Confidence

High

EPSS

0.002

Percentile

61.4%