CVE-2023-0475 - Vulnerability Details - OpenCVE

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00073.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Hashicorp	Go-getter
Redhat	Openshift

Configuration 1 [-]

OR	cpe:2.3:a:hashicorp:go-getter::::::::
	cpe:2.3:a:hashicorp:go-getter:2.1.1:::::::*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 4.14
openshift4/ose-installer:v4.14.0-202310201027.p0.g03546e5.assembly.stream	cpe:/a:redhat:openshift:4.14::el8	RHSA-2023:5006	2023-10-31T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-0733	HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
Github GHSA	GHSA-jpxj-2jvg-6jv9	Data Amplification in HashiCorp go-getter

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
https://nvd.nist.gov/vuln/detail/CVE-2023-0475
https://www.cve.org/CVERecord?id=CVE-2023-0475

History

Thu, 08 May 2025 14:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:openshift_security_profiles_operator_stable:::el8~~
Vendors & Products	Redhat openshift Security Profiles Operator Stable

Tue, 18 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published: 2023-02-16T18:35:37.518Z

Updated: 2025-03-18T14:39:33.175Z

Reserved: 2023-01-24T17:05:24.695Z

Link: CVE-2023-0475

Vulnrichment

Updated: 2024-08-02T05:10:56.209Z

NVD

Status : Modified

Published: 2023-02-16T19:15:13.867

Modified: 2024-11-21T07:37:15.350

Link: CVE-2023-0475

Redhat

Severity : Moderate

Publid Date: 2023-02-16T00:00:00Z

Links: CVE-2023-0475 - Bugzilla

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0475", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2023-01-24T17:05:24.695Z", "datePublished": "2023-02-16T18:35:37.518Z", "dateUpdated": "2025-03-18T14:39:33.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2023-02-16T18:35:37.518Z"}, "title": "Go-Getter Vulnerable to Decompression Bombs", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-409", "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-572", "descriptions": [{"lang": "en", "value": "CAPEC-572 Artificially Inflate File Sizes"}]}], "affected": [{"vendor": "HashiCorp", "product": "go-getter", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "repo": "https://github.com/hashicorp/go-getter", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.6.2", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThanOrEqual": "2.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0."}]}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 4.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "INTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:10:56.209Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-18T14:39:22.337072Z", "id": "CVE-2023-0475", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-18T14:39:33.175Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:10:56.209Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-0475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-18T14:39:22.337072Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-18T14:37:22.500Z"}}], "cna": {"title": "Go-Getter Vulnerable to Decompression Bombs", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-572", "descriptions": [{"lang": "en", "value": "CAPEC-572 Artificially Inflate File Sizes"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/go-getter", "vendor": "HashiCorp", "product": "go-getter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.2"}, {"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.1"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125"}], "descriptions": [{"lang": "en", "value": "HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.", "supportingMedia": [{"type": "text/html", "value": "HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2023-02-16T18:35:37.518Z"}}}, "cveMetadata": {"cveId": "CVE-2023-0475", "state": "PUBLISHED", "dateUpdated": "2025-03-18T14:39:33.175Z", "dateReserved": "2023-01-24T17:05:24.695Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2023-02-16T18:35:37.518Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hashicorp:go-getter:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D28DF0E-9F2C-43E8-80DE-E8F984651104", "versionEndIncluding": "1.6.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:hashicorp:go-getter:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "257D6714-497C-498D-97AA-EA0366238072", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0."}], "id": "CVE-2023-0475", "lastModified": "2024-11-21T07:37:15.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.6, "source": "security@hashicorp.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-16T19:15:13.867", "references": [{"source": "security@hashicorp.com", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "security@hashicorp.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5006", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/ose-installer:v4.14.0-202310201027.p0.g03546e5.assembly.stream", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2023-10-31T00:00:00Z"}], "bugzilla": {"description": "go-getter: go-getter vulnerable to denial of service via malicious compressed archive", "id": "2170844", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170844"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-409", "details": ["HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.", "A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive."], "name": "CVE-2023-0475", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/topology-aware-lifecycle-manager-rhel8-operator", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-security-profiles-operator-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-rhel9-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odr-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Will not fix", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}], "public_date": "2023-02-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0475\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0475\nhttps://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125"], "threat_severity": "Moderate"}