Miggo Logo
Miggo Vulnerability Database
CVE-2022-30321

CVE-2022-30321: HashiCorp go-getter unsafe downloads

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-30321
GHSA ID
GHSA-fcgg-rvwg-jv58
EPSS Score
0.77068%
CWE
-
Published
5/26/2022
Updated
2/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/go-gettergo< 1.6.11.6.1
github.com/hashicorp/go-gettergo>= 2.0.0, < 2.1.02.1.0
github.com/hashicorp/go-getter/v2go< 2.1.02.1.0
github.com/hashicorp/go-getter/s3/v2go< 2.1.02.1.0
github.com/hashicorp/go-getter/gcs/v2go< 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from three main issues: 1) HTTP header processing flaws in HttpGetter.Get that allowed protocol switching and redirect loops, 2) Insufficient path sanitization in subdirectory (client.go) and filename handling, and 3) Command injection vectors in hg/git command execution. The commit adds validation checks (containsDotDot), argument sanitization (-- in hg commands), timeout controls, and redirect limits to address these. The affected functions are clearly identified in the diff through added security checks and modified command execution patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp *o-**tt*r t*rou** *.*.* *o*s not s***ly p*r*orm *ownlo**s. Proto*ol swit**in*, *n*l*ss r**ir**t, *n* *on*i*ur*tion *yp*ss w*r* possi*l* vi* **us* o* *ustom *TTP r*spons* *****r pro**ssin*.

Reasoning

T** vuln*r**ility st*ms *rom t*r** m*in issu*s: *) *TTP *****r pro**ssin* *l*ws in *ttp**tt*r.**t t**t *llow** proto*ol swit**in* *n* r**ir**t loops, *) Insu**i*i*nt p*t* s*nitiz*tion in su**ir**tory (*li*nt.*o) *n* *il*n*m* **n*lin*, *n* *) *omm*n*