Skip to main content

Improper Neutralization of HTTP Headers for Scripting Syntax

CVE-2022-30321

Severity High
Score 8.6/10

Summary

The github.com/hashicorp/go-getter prior to 1.6.1, and 2.x prior to 2.1.0 and github.com/hashicorp/go-getter/v2 prior to 2.1.0 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

  • LOW
  • NETWORK
  • LOW
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • HIGH

CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Advisory Timeline

  • Published