-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/go-getter | go | < 1.6.1 | 1.6.1 |
| github.com/hashicorp/go-getter | go | >= 2.0.0, < 2.1.0 | 2.1.0 |
| github.com/hashicorp/go-getter/v2 | go | < 2.1.0 | 2.1.0 |
| github.com/hashicorp/go-getter/s3/v2 | go | < 2.1.0 | 2.1.0 |
| github.com/hashicorp/go-getter/gcs/v2 | go | < 2.1.0 | 2.1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from multiple insecure practices: 1) HTTP handler allowed unlimited redirects and large downloads via X-Terraform-Get (CWE-400), 2) Path traversal vulnerabilities in subdirectory/file handling (CWE-22), 3) Missing symlink protections (CWE-59), and 4) Absence of timeouts in external commands (CWE-400). The commit diff shows critical fixes: adding XTerraformGetLimit, MaxBytes, containsDotDot checks, DisableSymlinks enforcement, and CommandContext timeouts - all directly addressing these vulnerable code paths.
GoGoOngoing coverage of React2Shell