The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter.
Weakness
The product writes sensitive information to a log file.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Go-getter | Hashicorp | * | 1.5.11 (excluding) |
| Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 | RedHat | rhacm2/cluster-curator-controller-rhel8:v2.3.11-5 | * |
| Red Hat OpenShift Container Platform 4.11 | RedHat | openshift4/ose-baremetal-machine-controllers:v4.11.0-202208020235.p0.ga65be86.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.11 | RedHat | openshift4/ose-baremetal-rhel8-operator:v4.11.0-202208020235.p0.g22b522c.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.11 | RedHat | openshift4/ose-cluster-baremetal-operator-rhel8:v4.11.0-202208020235.p0.g0f415d1.assembly.stream | * |
| Red Hat OpenShift Data Foundation 4.11 on RHEL8 | RedHat | odf4/odr-rhel8-operator:v4.11.0-27 | * |
Potential Mitigations
Related Attack Patterns
References
- https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc
- https://github.com/hashicorp/go-getter/pull/348
- https://github.com/hashicorp/go-getter/releases/tag/v1.5.11
- https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc
- https://github.com/hashicorp/go-getter/pull/348
- https://github.com/hashicorp/go-getter/releases/tag/v1.5.11