Login Sign Up

CVE-2022-30323

8.6 HIGH

📋 TL;DR

This vulnerability in go-getter library causes a panic (crash) when processing password-protected ZIP files. It affects applications using go-getter up to versions 1.5.11 and 2.0.2 for file retrieval operations. The crash can lead to denial of service and potentially be leveraged for further attacks.

💻 Affected Systems

Products:
  • go-getter library
  • Applications using go-getter for file retrieval
Versions: go-getter <= 1.5.11, go-getter <= 2.0.2
Operating Systems: All platforms where go-getter is used
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using go-getter to retrieve or process ZIP files is vulnerable. This includes HashiCorp tools and custom applications using the library.

📦 What is this software?

Go Getter by Hashicorp

View all CVEs affecting Go Getter →

Go Getter by Hashicorp

View all CVEs affecting Go Getter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes when processing malicious ZIP files, leading to denial of service. In containerized environments, this could cause pod restarts and service disruption.

🟠

Likely Case

Service disruption when legitimate password-protected ZIP files are processed, causing temporary unavailability until service restarts.

🟢

If Mitigated

Minimal impact with proper input validation and error handling that catches panics before they crash the application.

🌐 Internet-Facing: MEDIUM - Applications accepting ZIP file uploads or URLs from untrusted sources could be targeted with crafted ZIP files to cause service disruption.
🏢 Internal Only: LOW - Internal systems processing known, trusted ZIP files are unlikely to encounter malicious payloads.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to process a password-protected ZIP file. No authentication needed if the application accepts ZIP files from untrusted sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: go-getter 1.6.1, go-getter 2.1.0

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930

Restart Required: Yes

Instructions:

1. Update go-getter dependency to 1.6.1+ (for v1) or 2.1.0+ (for v2). 2. Update go.mod to reference patched version. 3. Rebuild and redeploy application. 4. Restart services using the updated library.

🔧 Temporary Workarounds

Input validation for ZIP files

all

Implement validation to reject password-protected ZIP files before processing with go-getter

Panic recovery middleware

all

Add panic recovery handlers in applications using go-getter to prevent crashes

🧯 If You Can't Patch

  • Implement strict input validation to reject all password-protected ZIP files
  • Deploy rate limiting and monitoring for ZIP file processing to detect and block attack attempts

🔍 How to Verify

Check if Vulnerable:

Check go.mod or vendor dependencies for go-getter version. If version is <=1.5.11 or <=2.0.2, the system is vulnerable.

Check Version:

grep 'hashicorp/go-getter' go.mod | grep -E 'v[12]\.[0-9]+\.[0-9]+'

Verify Fix Applied:

Verify go-getter version is 1.6.1+ or 2.1.0+ in dependencies. Test processing password-protected ZIP files to ensure no panic occurs.

📡 Detection & Monitoring

Log Indicators:

  • Application panic/crash logs mentioning go-getter or ZIP processing
  • Error logs containing 'panic:' or 'fatal:' during file retrieval

Network Indicators:

  • Unusual volume of ZIP file downloads/upload requests to vulnerable endpoints

SIEM Query:

source="application.logs" AND ("panic" OR "fatal") AND ("go-getter" OR "ZIP")

📊 Metadata

CVE ID: CVE-2022-30323
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Published: May 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON