HCSEC-2022-13 - Multiple Vulnerabilities In go-getter Library

Bulletin ID: HCSEC-2022-13
Affected Products / Versions: go-getter up to 1.5.11 and 2.0.2; fixed in 1.6.1 and 2.1.0.
Publication Date: May 24, 2022

Summary
Multiple vulnerabilities were identified in HashiCorp’s go-getter library up to 1.5.11 and 2.0.2. These vulnerabilities (CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323) were fixed in go-getter 1.6.1 and 2.1.0.

Background
HashiCorp’s go-getter is a Go library for downloading files or directories from various sources using a URL as the primary form of input.

Details
A combination of external reports and internal testing led to the discovery of several vulnerabilities in go-getter:

  • Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

  • Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.

  • Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.

  • A panic was triggered when go-getter processed password-protected ZIP files.

Exposure of these issues will depend on the context and threat model of the system in which the go-getter library is used. For example, server-side usage of go-getter likely has a greater degree of exposure to these issues than client-side usage of go-getter.

Remediation
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and consider upgrading to go-getter 1.6.1 and 2.1.0, or newer.

Some fixes were changes to default behavior but as part of the upgrade, review and consider using new go-getter configuration options (DisableSymlinks, DoNotCheckHeadFirst, HeadFirstTimeout, ReadTimeout, MaxBytes, ConfigInDestinationDisabled, XTerraformGetDisabled, and XTerraformGetLimit) to more completely address exposure.

Acknowledgement
These issues were identified by external researchers (Joern Schneeweisz of GitLab and Alessio Della Libera of Snyk) and HashiCorp Product Security team members.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.