Approved changes feed: RSS · Atom
cpe:2.3:a:hashicorp:go-getter:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Hashicorp (dc524c16-6a01-528e-a41c-9d3e02e5e4a3) |
|---|---|
| Product | Go Getter (b685d6ca-3af6-5195-94cd-38a699db4f50) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:deb/debian/golang-github-hashicorp-go-getter |
purl2cpe | 2026-06-01 10:14:57.112333 |
pkg:deb/ubuntu/golang-github-hashicorp-go-getter |
purl2cpe | 2026-06-01 10:14:57.112335 |
pkg:github/hashicorp/go-getter |
purl2cpe | 2026-06-01 10:14:57.112336 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-8959 |
vulnerable | 2026-06-03 15:13:45.169537 |
HashiCorp go-getter Vulnerable to Arbitrary Read through Symlink Attack
HIGH (7.5)
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
Published: 2025-08-15T20:32:52.335Z
Updated: 2025-08-15T20:46:06.131Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6257 |
vulnerable | 2026-06-03 14:58:02.410917 |
HashiCorp go-getter Vulnerable to Code Execution On Git Update Via Git Config Manipulation
HIGH (8.4)
HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.
Published: 2024-06-25T16:31:03.882Z
Updated: 2024-08-01T21:33:05.245Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3817 |
vulnerable | 2026-06-03 14:56:32.107240 |
HashiCorp go-getter Vulnerable to Argument Injection When Fetching Remote Default Git Branches
CRITICAL (9.8)
HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches.
This vulnerability does not affect the go-getter/v2 branch and package.
Published: 2024-04-17T19:37:25.878Z
Updated: 2024-08-01T20:20:01.607Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-0475 |
vulnerable | 2026-06-03 14:48:46.485103 |
Go-Getter Vulnerable to Decompression Bombs
MEDIUM (4.2)
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
Published: 2023-02-16T18:35:37.518Z
Updated: 2025-03-18T14:39:33.175Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-30323 |
vulnerable | 2026-06-03 14:47:08.603198 |
Details available
go-getter up to 1.5.11 and 2.0.2 panicked when processing password-protected ZIP files. Fixed in 1.6.1 and 2.1.0.
Published: 2022-05-25T11:19:30.000Z
Updated: 2024-08-03T06:48:35.599Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-30322 |
vulnerable | 2026-06-03 14:47:08.602820 |
Details available
go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustion when go-getter processed malicious HTTP responses. Fixed in 1.6.1 and 2.1.0.
Published: 2022-05-25T11:19:35.000Z
Updated: 2024-08-03T06:48:35.602Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-30321 |
vulnerable | 2026-06-03 14:47:08.601634 |
Details available
go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0.
Published: 2022-05-25T11:19:42.000Z
Updated: 2024-08-03T06:48:35.687Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-29810 |
vulnerable | 2026-06-03 14:46:58.930460 |
Details available
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
Published: 2022-04-27T05:50:30.000Z
Updated: 2024-08-03T06:33:42.774Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-26945 |
vulnerable | 2026-06-03 14:46:45.422722 |
Details available
go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless redirect, and configuration bypass via abuse of custom HTTP response header processing. Fixed in 1.6.1 and 2.1.0.
Published: 2022-05-25T11:19:48.000Z
Updated: 2024-08-03T05:18:38.351Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.