Description
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://discuss.hashicorp.com
Mitigation, Vendor Advisory x_refsource_misc
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
Scores
CVSS v3
9.8
EPSS
0.0020
EPSS Percentile
41.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
hashicorp/go-getter
2.0.2
hashicorp/go-getter
< 1.5.11
hashicorp/go-getter
0 - 1.6.1Go
hashicorp/go-getter
0 - 2.1.0 (3 CPE variants)Go
Published
May 25, 2022
Tracked Since
Feb 18, 2026