CVE-2022-30321

HIGH

HashiCorp go-getter < 1.5.11, 2.0.2 - Path Traversal and Command Injection

Title source: llm

Description

go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://discuss.hashicorp.com

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/hashicorp/go-getter/releases

Vendor Advisory x_refsource_misc

https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930

Scores

CVSS v3 8.6

EPSS 0.0651

EPSS Percentile 91.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Details

CWE

CWE-22 CWE-77 CWE-59

Status published

Products (4)

hashicorp/go-getter 2.0.2

hashicorp/go-getter < 1.5.11

hashicorp/go-getter 0 - 1.6.1Go

hashicorp/go-getter 0 - 2.1.0 (3 CPE variants)Go

Published May 25, 2022

Tracked Since Feb 18, 2026