CVE-2023-0475 : HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs.

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

Published 2023-02-16 19:15:14

Updated 2023-02-27 18:33:13

Source HashiCorp Inc.

View at NVD, CVE.org

Products affected by CVE-2023-0475

Hashicorp » Go-getter
Versions up to, including, (<=) 1.6.2
cpe:2.3:a:hashicorp:go-getter:*:*:*:*:*:*:*:*
Matching versions
Hashicorp » Go-getter » Version: 2.1.1
cpe:2.3:a:hashicorp:go-getter:2.1.1:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 24 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High
4.2	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H	0.6	3.6	HashiCorp Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE-409 Improper Handling of Highly Compressed Data (Data Amplification)

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Assigned by: security@hashicorp.com (Secondary)

https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125

HCSEC-2023-4 - go-getter vulnerable to denial of service via malicious compressed archive - Security - HashiCorp Discuss
Vendor Advisory

Jump to