Описание
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
A flaw was found in the HashiCorp go-getter package. Affected versions of the HashiCorp go-getter package are vulnerable to a denial of service via a malicious compressed archive.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift4/topology-aware-lifecycle-manager-rhel8-operator | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift-security-profiles-operator-container | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-multicluster-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odr-rhel8-operator | Affected | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-operator-rhel8 | Will not fix | ||
| Red Hat OpenShift Data Science (RHODS) | rhods/odh-rhel8-operator | Will not fix | ||
| Red Hat OpenShift Container Platform 4.14 | openshift4/ose-installer | Fixed | RHSA-2023:5006 | 31.10.2023 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-409
https://bugzilla.redhat.com/show_bug.cgi?id=2170844go-getter: go-getter vulnerable to denial of service via malicious compressed archive
EPSS
Процентиль: 23%
0.00078
Низкий
4.2 Medium
CVSS3
Связанные уязвимости
CVSS3: 4.2
ubuntu
почти 3 года назад
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVSS3: 4.2
nvd
почти 3 года назад
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
CVSS3: 4.2
debian
почти 3 года назад
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompressi ...
EPSS
Процентиль: 23%
0.00078
Низкий
4.2 Medium
CVSS3