{"id":"GO-2023-1578","summary":"Denial of service in github.com/hashicorp/go-getter/v2","details":"HashiCorp go-getter is vulnerable to decompression bombs. This can lead to excessive memory consumption and denial-of-service attacks.","aliases":["CVE-2023-0475","GHSA-jpxj-2jvg-6jv9"],"modified":"2024-05-20T16:03:47Z","published":"2023-02-17T21:16:15Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2023-1578","review_status":"REVIEWED"},"references":[{"type":"WEB","url":"https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125"},{"type":"FIX","url":"https://github.com/hashicorp/go-getter/commit/0edab85348271c843782993345b07b1ac98912e6"},{"type":"FIX","url":"https://github.com/hashicorp/go-getter/commit/78e6721a2a76266718dc92c3c03c1571dffdefdc"}],"affected":[{"package":{"name":"github.com/hashicorp/go-getter/v2","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/go-getter/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0"},{"fixed":"2.2.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Bzip2Decompressor.Decompress","Client.Get","Client.GetChecksum","FolderStorage.Get","Get","GetAny","GetFile","GzipDecompressor.Decompress","HttpGetter.Get","Request.CopyReader","TarBzip2Decompressor.Decompress","TarGzipDecompressor.Decompress","TarXzDecompressor.Decompress","XzDecompressor.Decompress","ZipDecompressor.Decompress","copyReader","untar"],"path":"github.com/hashicorp/go-getter/v2"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1578.json"}},{"package":{"name":"github.com/hashicorp/go-getter","ecosystem":"Go","purl":"pkg:golang/github.com/hashicorp/go-getter"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.7.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Bzip2Decompressor.Decompress","Client.ChecksumFromFile","Client.Get","FolderStorage.Get","GCSGetter.Get","GCSGetter.GetFile","Get","GetAny","GetFile","GzipDecompressor.Decompress","HttpGetter.Get","S3Getter.Get","S3Getter.GetFile","TarBzip2Decompressor.Decompress","TarDecompressor.Decompress","TarGzipDecompressor.Decompress","TarXzDecompressor.Decompress","TarZstdDecompressor.Decompress","XzDecompressor.Decompress","ZipDecompressor.Decompress","ZstdDecompressor.Decompress","copyReader","untar"],"path":"github.com/hashicorp/go-getter"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-1578.json"}}],"schema_version":"1.7.3"}