CVE-2022-26945: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

The vulnerability CVE-2022-26945 affects go-getter library versions up to 1.5.11 and 2.0.2, which was discovered and disclosed on May 24, 2022. The vulnerability allows protocol switching, endless redirect, and configuration bypass through the abuse of custom HTTP response header processing. This issue has been fixed in versions 1.6.1 and 2.1.0 (HashiCorp Discussion).

The vulnerability is classified as a command injection vulnerability that could be exploited through the manipulation of custom HTTP response header processing. The severity of this issue is rated as Important according to Red Hat's security classification system (Red Hat Advisory).

The impact of this vulnerability varies depending on the context and threat model of the system using the go-getter library. Server-side usage of go-getter has a greater degree of exposure to these issues compared to client-side usage. The vulnerability could potentially lead to arbitrary host access through path traversal, symlink processing, and command injection flaws (HashiCorp Discussion).

Users should upgrade to go-getter versions 1.6.1 and 2.1.0 or newer. Additionally, users should review and consider using new go-getter configuration options including DisableSymlinks, DoNotCheckHeadFirst, HeadFirstTimeout, ReadTimeout, MaxBytes, ConfigInDestinationDisabled, XTerraformGetDisabled, and XTerraformGetLimit to more completely address exposure (HashiCorp Discussion).