CVE-2022-26945
Resource exhaustion in github.com/hashicorp/go-getter and related modules
8.6
HIGH
CVSS 3.1
EPSS 0.20%
Description
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
How to fix CVE-2022-26945
To remediate CVE-2022-26945, upgrade the affected package to a fixed version below.
- Debian/golang-github-hashicorp-go-getter—no fix listed
- —upgrade to 1.6.1 or later
- —upgrade to 1.6.1 or later
- —upgrade to 1.6.1 or later
- —upgrade to 1.6.1 or later
- —upgrade to 1.6.1 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
- —upgrade to 2.1.0 or later
Is CVE-2022-26945 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (21)
- from 0
- from 0, < 1.6.1
- from 0, < 1.6.1
- from 0, < 1.6.1
- from 0, < 1.6.1
- from 0, < 1.6.1
- from 0, < 2.1.0
- from 0, < 2.1.0
- from 0, < 2.1.0
- from 0, < 2.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |