Information Disclosure in Hashicorp go-getter Library
CVE-2022-29810

5.5MEDIUM

Key Information:

Vendor
Hashicorp
Status
Go-getter
Vendor
CVE Published:
27 April 2022

Summary

The go-getter library by Hashicorp prior to version 1.5.11 has a flaw where it fails to redact sensitive SSH keys from URL query parameters. This oversight could expose private information, potentially allowing attackers to harvest sensitive credentials from logs or other outputs that include unredacted URLs. It is crucial for users to upgrade to the latest version to mitigate this risk.

References

https://github.com/hashicorp/go-getter/pull/348
x_refsource_MISC
https://github.com/hashicorp/go-getter/releases/tag/v1.5.11
x_refsource_MISC
https://github.com/hashicorp/go-getter/commit/36b68b2f68a...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.