CVE-2022-29810

NameCVE-2022-29810
DescriptionThe Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-hashicorp-go-getter (PTS)buster, stretch0.0~git20160316.0.575ec4e-1fixed
sid, trixie, bullseye, bookworm1.4.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-hashicorp-go-gettersource(unstable)(not affected)

Notes

- golang-github-hashicorp-go-getter <not-affected> (Vulnerable code introduced later)
https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc (v1.5.11)
introduced in https://github.com/hashicorp/go-getter/commit/854150ffed2dc250662096b4309b3510a13e0574 (v1.5.8)
Search for package or bug name: Reporting problems