{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-10T21:31:38", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.hashicorp.com"}, {"tags": ["x_refsource_MISC"], "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-26945", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://discuss.hashicorp.com", "refsource": "MISC", "url": "https://discuss.hashicorp.com"}, {"name": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930", "refsource": "MISC", "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:18:38.351Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.hashicorp.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-26945", "datePublished": "2022-05-25T11:19:48", "dateReserved": "2022-03-12T00:00:00", "dateUpdated": "2024-08-03T05:18:38.351Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:go-getter:*:*:*:*:*:*:*:*", "matchCriteriaId": "032AE45B-B3DE-478C-B8D6-132C9DB13D2D", "versionEndIncluding": "1.5.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:go-getter:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "BDF91522-8B63-4D1F-AD18-7075DC8882A3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0."}, {"lang": "es", "value": "go-getter hasta 1.5.11 y 2.0.2 permit\u00eda el cambio de protocolo, la redirecci\u00f3n infinita y la derivaci\u00f3n de la configuraci\u00f3n mediante el abuso del procesamiento de cabeceras de respuesta HTTP personalizadas. Corregido en 1.6.1 y 2.1.0"}], "id": "CVE-2022-26945", "lastModified": "2024-11-21T06:54:51.053", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-25T12:15:08.153", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6133", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "openshift4/ose-baremetal-rhel8-operator:v4.10.0-202208182025.p0.g97ce15e.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-08-31T00:00:00Z"}, {"advisory": "RHSA-2022:6258", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "openshift4/ose-cluster-baremetal-operator-rhel8:v4.10.0-202208260945.p0.g23614bb.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-09-08T00:00:00Z"}, {"advisory": "RHSA-2022:6805", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "openshift4/ose-baremetal-machine-controllers:v4.10.0-202209301647.p0.gadff401.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-10-12T00:00:00Z"}, {"advisory": "RHSA-2022:7211", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "openshift4/ose-installer:v4.10.0-202210250219.p0.g1ffe666.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-11-02T00:00:00Z"}, {"advisory": "RHSA-2022:5069", "cpe": "cpe:/a:redhat:openshift:4.11::el8", "package": "openshift4/ose-baremetal-machine-controllers:v4.11.0-202208020235.p0.ga65be86.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.11", "release_date": "2022-08-10T00:00:00Z"}, {"advisory": "RHSA-2022:5069", "cpe": "cpe:/a:redhat:openshift:4.11::el8", "package": "openshift4/ose-baremetal-rhel8-operator:v4.11.0-202208020235.p0.g22b522c.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.11", "release_date": "2022-08-10T00:00:00Z"}, {"advisory": "RHSA-2022:5069", "cpe": "cpe:/a:redhat:openshift:4.11::el8", "package": "openshift4/ose-cluster-baremetal-operator-rhel8:v4.11.0-202208020235.p0.g0f415d1.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.11", "release_date": "2022-08-10T00:00:00Z"}, {"advisory": "RHSA-2022:7201", "cpe": "cpe:/a:redhat:openshift:4.11::el8", "package": "openshift4/ose-installer:v4.11.0-202210250857.p0.g9d1e216.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.11", "release_date": "2022-11-02T00:00:00Z"}, {"advisory": "RHSA-2022:6308", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-baremetal-rhel8-operator:v4.8.0-202208241844.p0.g5492cf5.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2022-09-14T00:00:00Z"}, {"advisory": "RHSA-2022:6801", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-cluster-baremetal-operator-rhel8:v4.8.0-202209291426.p0.g117d47a.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2022-10-13T00:00:00Z"}, {"advisory": "RHSA-2022:7874", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "openshift4/ose-baremetal-machine-controllers:v4.8.0-202211031007.p0.g2dabef7.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2022-11-18T00:00:00Z"}, {"advisory": "RHSA-2022:6147", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "openshift4/ose-baremetal-rhel8-operator:v4.9.0-202208231335.p0.g4e7605b.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2022-08-31T00:00:00Z"}, {"advisory": "RHSA-2022:6905", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "openshift4/ose-cluster-baremetal-operator-rhel8:v4.9.0-202210061647.p0.g1a49892.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2022-10-19T00:00:00Z"}, {"advisory": "RHSA-2022:7216", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "openshift4/ose-baremetal-machine-controllers:v4.9.0-202210241459.p0.g41aa1f7.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2022-11-03T00:00:00Z"}, {"advisory": "RHSA-2022:9111", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "openshift4/ose-installer:v4.9.0-202212060115.p0.gf079984.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2023-01-06T00:00:00Z"}, {"advisory": "RHSA-2022:5673", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8-tech-preview/osp-director-downloader:1.2.3-3", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-07-20T00:00:00Z"}, {"advisory": "RHSA-2022:5673", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "rhosp-rhel8-tech-preview/osp-director-operator:1.2.3-3", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-07-20T00:00:00Z"}], "bugzilla": {"description": "go-getter: command injection vulnerability", "id": "2092928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2092928"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-77", "details": ["go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.", "A flaw was found in go-getter. This flaw allows an attacker to misuse go-getter to execute commands on the host. This action may be possible when symlink processing and path traversal are allowed."], "mitigation": {"lang": "en:us", "value": "The fix includes new configuration options to help limit the security exposure and have more secure defaults."}, "name": "CVE-2022-26945", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/agent-service-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/cluster-curator-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/clusterlifecycle-state-metrics-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/managedcluster-import-controller-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicloud-manager-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multiclusterhub-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/multicluster-operators-application-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-aggregator-rhel7", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/subctl-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/submariner-rhel8-operator", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-baremetal-installer-rhel7", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-installer-artifacts", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odr-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Will not fix", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "osp-director-provisioner-container", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-operator-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2022-05-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-26945\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-26945\nhttps://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930"], "threat_severity": "Important", "upstream_fix": "github.com/hashicorp/go-getter 1.6.1, github.com/hashicorp/go-getter 2.1.0"}