CVE-2022-29810

low-risk
Published 2022-04-27

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.

Do I need to act?

-
0.10% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Go-Getter

Affected Vendors

Hashicorp

References (6)

Patch https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5...
Patch https://github.com/hashicorp/go-getter/pull/348
Release Notes https://github.com/hashicorp/go-getter/releases/tag/v1.5.11
Patch https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5...
Patch https://github.com/hashicorp/go-getter/pull/348
Release Notes https://github.com/hashicorp/go-getter/releases/tag/v1.5.11
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal