More information
#### Details
HashiCorp go-getter is vulnerable to decompression bombs. This can lead to excessive memory consumption and denial-of-service attacks.
#### Severity
Unknown
#### References
- [https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125](https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125)
- [https://github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6](https://togithub.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6)
- [https://github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc](https://togithub.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1578) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
More information
#### Details
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
#### Severity
- CVSS Score: 4.2 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2023-0475](https://nvd.nist.gov/vuln/detail/CVE-2023-0475)
- [https://github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6](https://togithub.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6)
- [https://github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc](https://togithub.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc)
- [https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125](https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125)
- [https://github.com/hashicorp/go-getter](https://togithub.com/hashicorp/go-getter)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jpxj-2jvg-6jv9) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.0`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.0)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0)
#### What's Changed
- docs: provide logging recommendations by [@mickael-hc](https://togithub.com/mickael-hc) in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371)
- Update aws sdk version by [@Jukie](https://togithub.com/Jukie) in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384)
- Update S3 URL in README by [@twelvelabs](https://togithub.com/twelvelabs) in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378)
- Migrate to GHA by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/379](https://togithub.com/hashicorp/go-getter/pull/379)
- \[COMPLIANCE] Update MPL 2.0 LICENSE by [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386)
- remove codesign entirely from go-getter by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/408](https://togithub.com/hashicorp/go-getter/pull/408)
- Add decompression bomb mitigation options for v1 by [@picatz](https://togithub.com/picatz) in [https://github.com/hashicorp/go-getter/pull/412](https://togithub.com/hashicorp/go-getter/pull/412)
- v1: decompressors: add LimitedDecompressors helper by [@shoenig](https://togithub.com/shoenig) in [https://github.com/hashicorp/go-getter/pull/413](https://togithub.com/hashicorp/go-getter/pull/413)
#### New Contributors
- [@mickael-hc](https://togithub.com/mickael-hc) made their first contribution in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371)
- [@Jukie](https://togithub.com/Jukie) made their first contribution in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384)
- [@twelvelabs](https://togithub.com/twelvelabs) made their first contribution in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378)
- [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) made their first contribution in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
v1.6.2
->v1.7.0
GitHub Vulnerability Alerts
CVE-2023-0475
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
Denial of service in github.com/hashicorp/go-getter/v2
CVE-2023-0475 / GHSA-jpxj-2jvg-6jv9 / GO-2023-1578
More information
#### Details HashiCorp go-getter is vulnerable to decompression bombs. This can lead to excessive memory consumption and denial-of-service attacks. #### Severity Unknown #### References - [https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125](https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125) - [https://github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6](https://togithub.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6) - [https://github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc](https://togithub.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2023-1578) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).Data Amplification in HashiCorp go-getter
CVE-2023-0475 / GHSA-jpxj-2jvg-6jv9 / GO-2023-1578
More information
#### Details HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0. #### Severity - CVSS Score: 4.2 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2023-0475](https://nvd.nist.gov/vuln/detail/CVE-2023-0475) - [https://github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6](https://togithub.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6) - [https://github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc](https://togithub.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc) - [https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125](https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125) - [https://github.com/hashicorp/go-getter](https://togithub.com/hashicorp/go-getter) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jpxj-2jvg-6jv9) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.0`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.0) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0) #### What's Changed - docs: provide logging recommendations by [@mickael-hc](https://togithub.com/mickael-hc) in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371) - Update aws sdk version by [@Jukie](https://togithub.com/Jukie) in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384) - Update S3 URL in README by [@twelvelabs](https://togithub.com/twelvelabs) in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378) - Migrate to GHA by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/379](https://togithub.com/hashicorp/go-getter/pull/379) - \[COMPLIANCE] Update MPL 2.0 LICENSE by [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386) - remove codesign entirely from go-getter by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/408](https://togithub.com/hashicorp/go-getter/pull/408) - Add decompression bomb mitigation options for v1 by [@picatz](https://togithub.com/picatz) in [https://github.com/hashicorp/go-getter/pull/412](https://togithub.com/hashicorp/go-getter/pull/412) - v1: decompressors: add LimitedDecompressors helper by [@shoenig](https://togithub.com/shoenig) in [https://github.com/hashicorp/go-getter/pull/413](https://togithub.com/hashicorp/go-getter/pull/413) #### New Contributors - [@mickael-hc](https://togithub.com/mickael-hc) made their first contribution in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371) - [@Jukie](https://togithub.com/Jukie) made their first contribution in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384) - [@twelvelabs](https://togithub.com/twelvelabs) made their first contribution in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378) - [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) made their first contribution in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.