HCSEC-2023-04 - go-getter vulnerable to denial of service via malicious compressed archive

Bulletin ID: HCSEC-2023-04
Affected Products / Versions: go-getter up to 1.6.2 and 2.1.1; fixed in 1.7.0 and 2.2.0.
Publication Date: February 13, 2023**

Summary
HashiCorp’s go-getter library up to 1.6.2 and 2.1.1 is vulnerable to denial of service via a malicious compressed archive. This vulnerability CVE-2023-0475 was fixed in go-getter 1.7.0 and 2.2.0.

Background
HashiCorp’s go-getter is a Go library for downloading files or directories from various sources using a URL as the primary form of input.

Details
During internal testing, we observed that it was possible to reliably crash the go-getter library using a maliciously crafted compressed archive. This requires an attacker to have access to provide malicious URL inputs to the library using a decompressor.

Exposure of this issue will depend on the context and threat model of the system in which the go-getter library is used. For example, server-side usage of go-getter likely has a greater degree of exposure to these issues than client-side usage of go-getter.

Remediation
Consumers of the go-getter library should evaluate the risk associated with this issue in the context of their go-getter usage and consider upgrading to go-getter 1.7.0 and 2.2.0, or newer.

Review and consider using new configuration options for go-getter decompressors (FileSizeLimit and FilesLimit) to address exposure.

Acknowledgement
This issue was identified by HashiCorp’s Partner Solution engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.