Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-jpxj-2jvg-6jv9: Data Amplification in HashiCorp go-getter

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

ghsa
#git

Data Amplification in HashiCorp go-getter

Moderate severity GitHub Reviewed Published Feb 16, 2023 to the GitHub Advisory Database • Updated Feb 16, 2023

Related news

Red Hat Security Advisory 2023-2029-01

Red Hat Security Advisory 2023-2029-01 - The OpenShift Security Profiles Operator v0.7.0 is now available. Issues addressed include a denial of service vulnerability.

RHSA-2023:2029: Red Hat Security Advisory: OpenShift Security Profiles Operator bug fix update

An updated Security Profiles Operator image that fixes various bugs is now available for the Red Hat OpenShift Enterprise 4 catalog.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0475: A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive. * CVE-2023-25173: A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information o...

CVE-2023-0475: HCSEC-2023-4 - go-getter vulnerable to denial of service via malicious compressed archive

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.