HCSEC-2022-13

**Bulletin ID:** HCSEC-2022-13 **Affected Products / Versions:** go-getter up to 1.5.11 and 2.0.2; fixed in 1.6.1 and 2.1.0. **Publication Date:** May 24, 2022 **Summary** Multiple vulnerabilities were identified in HashiCorp’s go-getter library up to 1.5.11 and 2.0.2. These vulnerabilities (CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323) were fixed in go-getter 1.6.1 and 2.1.0. **Background** HashiCorp’s [go-getter](https://github.com/hashicorp/go-getter) is a Go library for downloading files or directories from various sources using a URL as the primary form of input. **Details** A combination of external reports and internal testing led to the discovery of several vulnerabilities in go-getter: * Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing. * Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws. * Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses. * A panic was triggered when go-getter processed password-protected ZIP files. Exposure of these issues will depend on the context and threat model of the system in which the go-getter library is used. For example, server-side usage of go-getter likely has a greater degree of exposure to these issues than client-side usage of go-getter. **Remediation** Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and consider upgrading to go-getter 1.6.1 and 2.1.0, or newer. Some fixes were changes to default behavior but as part of the upgrade, review and consider using new go-getter configuration options (`DisableSymlinks`, `DoNotCheckHeadFirst`, `HeadFirstTimeout`, `ReadTimeout`, `MaxBytes`, `ConfigInDestinationDisabled`, `XTerraformGetDisabled`, and `XTerraformGetLimit`) to more completely address exposure. **Acknowledgement** These issues were identified by external researchers (Joern Schneeweisz of GitLab and Alessio Della Libera of Snyk) and HashiCorp Product Security team members. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.*