discuss.hashicorp.com
Open in
urlscan Pro
2602:fd3f:3:ff02::2b
Public Scan
URL:
https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
Submission: On February 27 via api from US — Scanned from DE
Submission: On February 27 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /login
<form id="hidden-login-form" method="post" action="/login" style="display: none;">
<input name="username" type="text" id="signin_username">
<input name="password" type="password" id="signin_password">
<input name="redirect" type="hidden">
<input type="submit" id="signin-button" value="Log In">
</form>Text Content
HashiCorp Discuss HCSEC-2023-4 - GO-GETTER VULNERABLE TO DENIAL OF SERVICE VIA MALICIOUS COMPRESSED ARCHIVE Security eastebry February 13, 2023, 11:29pm 1 Bulletin ID: HCSEC-2023-04 Affected Products / Versions: go-getter up to 1.6.2 and 2.1.1; fixed in 1.7.0 and 2.2.0. Publication Date: February 13, 2023** Summary HashiCorp’s go-getter library up to 1.6.2 and 2.1.1 is vulnerable to denial of service via a malicious compressed archive. This vulnerability CVE-2023-0475 was fixed in go-getter 1.7.0 and 2.2.0. Background HashiCorp’s go-getter is a Go library for downloading files or directories from various sources using a URL as the primary form of input. Details During internal testing, we observed that it was possible to reliably crash the go-getter library using a maliciously crafted compressed archive. This requires an attacker to have access to provide malicious URL inputs to the library using a decompressor. Exposure of this issue will depend on the context and threat model of the system in which the go-getter library is used. For example, server-side usage of go-getter likely has a greater degree of exposure to these issues than client-side usage of go-getter. Remediation Consumers of the go-getter library should evaluate the risk associated with this issue in the context of their go-getter usage and consider upgrading to go-getter 1.7.0 and 2.2.0, or newer. Review and consider using new configuration options for go-getter decompressors (FileSizeLimit and FilesLimit) to address exposure. Acknowledgement This issue was identified by HashiCorp’s Partner Solution engineering team. We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. * Home * Categories * FAQ/Guidelines * Terms of Service * Privacy Policy Powered by Discourse, best viewed with JavaScript enabled Skip to main content Discuss Sign UpSign in * * Join us for HashiDays in London, Munich or Paris for one day of community, connections and cloud on 13 June. Book your pass: hashidays.com HCSEC-2023-4 - GO-GETTER VULNERABLE TO DENIAL OF SERVICE VIA MALICIOUS COMPRESSED ARCHIVE Security You have selected 0 posts. select all cancel selecting Feb 13 1 / 1 Feb 13 14d ago eastebry 14d Bulletin ID: HCSEC-2023-04 Affected Products / Versions: go-getter up to 1.6.2 and 2.1.1; fixed in 1.7.0 and 2.2.0. Publication Date: February 13, 2023** Summary HashiCorp’s go-getter library up to 1.6.2 and 2.1.1 is vulnerable to denial of service via a malicious compressed archive. This vulnerability CVE-2023-0475 was fixed in go-getter 1.7.0 and 2.2.0. Background HashiCorp’s go-getter 8 is a Go library for downloading files or directories from various sources using a URL as the primary form of input. Details During internal testing, we observed that it was possible to reliably crash the go-getter library using a maliciously crafted compressed archive. This requires an attacker to have access to provide malicious URL inputs to the library using a decompressor. Exposure of this issue will depend on the context and threat model of the system in which the go-getter library is used. For example, server-side usage of go-getter likely has a greater degree of exposure to these issues than client-side usage of go-getter. Remediation Consumers of the go-getter library should evaluate the risk associated with this issue in the context of their go-getter usage and consider upgrading to go-getter 1.7.0 and 2.2.0, or newer. Review and consider using new configuration options for go-getter decompressors (FileSizeLimit and FilesLimit) to address exposure. Acknowledgement This issue was identified by HashiCorp’s Partner Solution engineering team. We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. Reply SUGGESTED TOPICS Topic Replies Views Activity HCSEC-2022-18 - Vault Entity Alias Metadata May Leak Between Aliases With The Same Name Assigned To The Same Entity Security security-vault 0 2.4k Sep '22 HCSEC-2022-26 - Nomad’s Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected Security security-nomad 0 1.3k Nov '22 HCSEC-2022-15 - Vault Enterprise Does Not Verify Existing Voter Status When Joining An Integrated Storage HA Node Security security-vault 0 3.1k Jul '22 HSEC-2022-16 - Consul Template May Expose Vault Secrets When Processing Invalid Input Security 0 1.8k Aug '22 HCSEC-2023-02 - Vault, Consul, Boundary, and Waypoint Affected By Denial of Service in Go’s net/http (CVE-2022-41717) Security security-vault security-consul security-boundary security-waypoint 0 636 20d WANT TO READ MORE? BROWSE OTHER TOPICS IN SECURITY OR VIEW LATEST TOPICS. Share Invalid date Invalid date