Miggo Logo
Miggo Vulnerability Database
CVE-2023-0475

CVE-2023-0475:
Data Amplification in HashiCorp go-getter

4.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0475
GHSA ID
GHSA-jpxj-2jvg-6jv9
EPSS Score
0.21011%
CWE
CWE-409
Published
2/16/2023
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/go-gettergo< 1.7.01.7.0
github.com/hashicorp/go-getter/v2go>= 2.0.0, < 2.2.02.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from decompressors not enforcing size/count limits. The patch added FileSizeLimit and FilesLimit fields to all decompressor structs and passed them to untar/copyReader functions. Vulnerable versions used default Decompressors map created via init() with new() constructors that didn't set these limits, making their Decompress methods process input without resource constraints. The affected functions are the Decompress methods of all compression-type specific decompressors that handle archive processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*i*orp *o-**tt*r up to *.*.* *n* *.*.* is vuln*r**l* to ***ompr*ssion *om*s. *ix** in *.*.* *n* *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom ***ompr*ssors not *n*or*in* siz*/*ount limits. T** p*t** ***** *il*Siz*Limit *n* *il*sLimit *i*l*s to *ll ***ompr*ssor stru*ts *n* p*ss** t**m to unt*r/*opyR****r *un*tions. Vuln*r**l* v*rsions us** ****ult ***ompr*ssors