Main Vulnerability Database Vulnerabilities #VU64700

#VU64700 Inclusion of Sensitive Information in Log Files in go-getter - CVE-2022-29810

Published: June 27, 2022 / Updated: June 28, 2022

Vulnerability identifier: #VU64700

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-29810

CWE-ID: CWE-532

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
go-getter

Software vendor:
HashiCorp

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to go-getter library can write SSH credentials into its log file. A local user with access to log files can read credentials in clear text, which may lead to privilege escalation or account takeover.

Remediation

Install updates from vendor's website.

External links

https://github.com/hashicorp/go-getter/pull/348
https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc
https://github.com/hashicorp/go-getter/releases/tag/v1.5.11
https://bugzilla.redhat.com/show_bug.cgi?id=2080279